WordPress Plugin Vulnerabilities

Metform Elementor Contact Form Builder < 3.3.2 - Multiple Subscriber+ Sensitive Information Disclosure Issues

Description

The plugin does not prevent less privileged users, like subscribers, from accessing various sensitive information via the plugin's shortcodes. This includes payment statuses, transaction IDs, submitter's name information, and virtually all fields of any form submissions.

Affects Plugins

Plugin icon
metform
Fixed in 3.3.2

References

CVE
CVE-2023-0688
CVE
CVE-2023-0691
CVE
CVE-2023-0692
CVE
CVE-2023-0693
CVE
CVE-2023-0694

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Ramuel Gall
Verified
No
WPVDB ID
514b1581-2880-44fe-91e1-5874eaffc901

Timeline

Publicly Published
2023-06-08 (about 2 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-06-09 (about 2 years ago)

Other

Published
Title
Published
2025-12-31
Title
Varnish/Nginx Proxy Caching <= 1.8.3 - Unauthenticated Information Exposure
Published
2024-07-08
Title
Social Sharing Plugin – Kiwi < 2.1.8 - Information Disclosure
Published
2023-07-19
Title
Essential Addons For Elementor < 5.8.2 - Unauthenticated MailChimp API Key Disclosure
Published
2024-02-20
Title
Error Log Viewer < 1.1.3 - Directory Listing to Sensitive Data Exposure
Published
2025-12-04
Title
Image Cleanup <= 1.9.2 - Unauthenticated Information Exposure