Metform Elementor Contact Form Builder < 3.2.0 – Unauthenticated Stored XSS | CVE 2023-0084 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape some of its submitted entry data when outputting them back in the admin dashboard, which could allow unauthenticated attackers to perform Stored XSS attacks against an admin viewing the malicious entry

Proof of Concept

Setup (as admin): Create a new form (using MetForm Elementor widgets) and insert a text-area field and a submit button then publish the form.

Attack (as unauthenticated): Visit the created form and insert the following JavaScript code in the text-area and submit: <script>alert(/XSS/)</script> 

The XSS will be triggered when an admin view the created entry in the admin dashboard (MetForm > Entries > View)

Affects Plugins

Fixed in 3.2.0

References

CVE

URL

https://www.wordfence.com/blog/2023/02/high-severity-xss-vulnerability-in-metform-elementor-contact-form-builder/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Mohammed Chemouri

Submitter

Mohammed Chemouri

Submitter website

https://de.linkedin.com/in/chemouri

Verified

Yes

WPVDB ID

d00f05cb-bddb-4b79-b2bc-73129ffd786b

Timeline

Publicly Published

2023-02-03 (about 3 years ago)

Added

2023-02-03 (about 3 years ago)

Last Updated

2023-02-06 (about 3 years ago)

Other

Published

Title

Published

2024-03-16

Title

Table & Contact Form 7 Database – Tablesome < 1.0.28 - Reflected Cross-Site Scripting

Published

2022-05-03

Title

StaffList < 3.1.6 - Reflected Cross-Site Scripting

Published

2025-12-05

Title

Yet Another WebClap for WordPress <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Published

2025-06-16

Title

Simple Logo Carousel < 1.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

Published

2025-02-26

Title

LinkMyPosts <= 1.0 - Reflected XSS