WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Metform Elementor Contact Form Builder < 2.1.4 - Unauthenticated API keys and Secrets Disclosure

Description

The is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs such as PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA etc.

Affects Plugins

metform
Fixed in version 2.1.4

References

CVE
CVE-2022-1442
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1442

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200

Miscellaneous

Original Researcher

Muhammad Zeeshan (Xib3rR4dAr)

Verified

Yes

WPVDB ID
9f3fcdd4-9ddc-45d5-a4af-e58634813c2b

Timeline

Publicly Published

2022-04-23 (about 9 months ago)

Added

2022-04-24 (about 9 months ago)

Last Updated

2022-04-24 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin