WordPress Plugin Vulnerabilities

Metform Elementor Contact Form Builder < 3.8.4 - Missing Authorization to Notice Dismissal

Description

The Metform Elementor Contact Form Builder is vulnerable to unauthorized modification of data due to a missing capability check on the dismiss_ajax_call function. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss notices.

Affects Plugins

Plugin icon
metform
Fixed in 3.8.4

References

CVE
CVE-2024-33570
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/996d1514-2c1f-4888-ac2f-bc58e926d3ef

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
6306d761-f39b-43d5-bc6a-157a6cd54883

Timeline

Publicly Published
2024-04-25 (about 2 years ago)
Added
2024-05-03 (about 2 years ago)
Last Updated
2024-05-03 (about 2 years ago)

Other

Published
Title
Published
2025-06-05
Title
Responsive Flipbooks <= 1.0 - Missing Authorization
Published
2025-01-31
Title
Shortcodes and extra features for Phlox theme < 2.17.5 - Missing Authorization
Published
2025-04-02
Title
Clients <= 1.1.4 - Missing Authorization
Published
2026-01-21
Title
Travel < 11.1.1 - Missing Authorization
Published
2025-04-10
Title
Doppler Forms < 2.4.7 - Missing Authorization