Metform Elementor Contact Form Builder < 3.3.3 – Cross-Site Request Forgery | CVE 2023-2517 | Plugin Vulnerabilities

Description

The plugin does not correctly validate nonces on the permalink_setup function. This can potentially enable the alteration of permalink structure via a forged request, if an administrator is tricked into clicking a deceptive link. Verification only takes place when a nonce is provided, leaving the plugin vulnerable to Cross-Site Request Forgery.

Affects Plugins

Fixed in 3.3.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ca66afc3-a749-4ddc-8e2f-959f65cebd45

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Marco Wotschka

Verified

No

WPVDB ID

67bac2d1-99e6-40a6-b627-b27aa6b42e24

Timeline

Publicly Published

2023-06-22 (about 2 years ago)

Added

2023-07-12 (about 2 years ago)

Last Updated

2023-07-12 (about 2 years ago)

Other

Published

Title

Published

2023-11-16

Title

WP Meta and Date Remover < 2.3.1 - Cross-Site Request Forgery via updateSettings

Published

2024-07-04

Title

Rife Free < 2.4.19 - Cross-Site Request Forgery to Notice Dismissal

Published

2021-02-12

Title

Post SMTP Mailer/Email Log < 2.0.21 - CSRF Nonce Bypass

Published

2025-04-09

Title

RentSyst < 2.0.93 - Stored XSS via CSRF

Published

2025-01-07

Title

SingSong <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting