WordPress Plugin Vulnerabilities

Metform Elementor Contact Form Builder < 3.3.2 - Authenticated (Subscriber+) Information Disclosure via 'mf_first_name' shortcode

Description

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_first_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, including the submitter's first name.

Affects Plugins

Plugin icon
metform
Fixed in 3.3.2

References

CVE
CVE-2023-0689
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/356cf06e-16e7-438b-83b5-c8a52a21f903

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (Medium)

Miscellaneous

Original Researcher
Ram
Verified
No
WPVDB ID
64400760-5eda-403d-97bd-05f3c1840efb

Timeline

Publicly Published
2023-08-30 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-11-29 (about 2 years ago)

Other

Published
Title
Published
2025-01-06
Title
WP Job Portal – A Complete Recruitment System for Company or Job Board website < 2.2.6- Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2024-11-12
Title
WP ERP < 1.13.4 - Unauthorized Access to Terminated Employee Information
Published
2023-09-25
Title
ActivityPub for WordPress < 1.0.0 - Subscriber+ Arbitrary Post Title Disclosure
Published
2024-08-16
Title
wpForo Forum < 2.3.5 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2026-01-01
Title
Cocco <= 1.5.1 - Authenticated (Subscriber+) Authenticated Insecure Direct Object Reference