MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor < 3.8.9 – Unauthenticated Sensitive Information Exposure | CVE 2024-4266 | Plugin Vulnerabilities

Description

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.8.8 via the 'handle_file' function. This can allow unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users.

Affects Plugins

Fixed in 3.8.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8edb72f5-dda3-4c59-ba7a-7a460cb59c03

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Tim Coen

Verified

No

WPVDB ID

60351d14-c07f-487d-9b20-be228204ab30

Timeline

Publicly Published

2024-06-10 (about 1 year ago)

Added

2024-06-10 (about 1 year ago)

Last Updated

2024-06-11 (about 1 year ago)

Other

Published

Title

Published

2025-09-22

Title

WP < 6.8.3 - Contributor+ Sensitive Data Disclosure

Published

2026-03-30

Title

Gravity SMTP < 2.1.5 - Unauthenticated Sensitive Information Exposure via REST API

Published

2025-12-15

Title

Document Library Lite < 1.2.0 - Unauthenticated Insecure Direct Object Reference

Published

2023-12-05

Title

Ultimate Dashboard < 3.7.11 - Login Page Disclosure on Multi-site

Published

2024-12-02

Title

WP Mailster < 1.8.17.0 - Unauthenticated Information Exposure