WordPress Plugin Vulnerabilities

Metform Elementor Contact Form Builder < 2.1.4 - Unauthenticated API keys and Secrets Disclosure

Description

The is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs such as PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA etc.

Affects Plugins

Plugin icon
metform
Fixed in 2.1.4

References

CVE
CVE-2022-1442
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1442

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Muhammad Zeeshan (Xib3rR4dAr)
Verified
Yes
WPVDB ID
9f3fcdd4-9ddc-45d5-a4af-e58634813c2b

Timeline

Publicly Published
2022-04-23 (about 3 years ago)
Added
2022-04-24 (about 3 years ago)
Last Updated
2023-02-04 (about 3 years ago)

Other

Published
Title
Published
2022-11-28
Title
Syncee - Global Dropshipping < 1.0.10 - Authentication Token Disclosure
Published
2025-04-03
Title
TailPress <= 0.4.4 - Unauthenticated Sensitive Information Exposure
Published
2026-01-20
Title
Contact Form & Lead Form Elementor Builder < 2.0.2 - Authenticated (Subscriber+) Information Exposure
Published
2024-07-04
Title
FileBird Document Library < 2.0.8 - Unauthenticated Sensitive Information Exposure
Published
2025-05-06
Title
Download Manager and Payment Form WordPress Plugin – WP SmartPay 1.1.0 - 2.7.13 - Authenticated (Subscriber+) Information Exposure