WordPress Plugin Vulnerabilities

Metform Elementor Contact Form Builder < 3.3.1 - Unauthenticated CSV Injection

Description

The plugin does not properly escape user-supplied input which is output in CSV files, which could be abused in CSV Injection attacks.

Affects Plugins

Plugin icon
metform
Fixed in 3.3.1

References

CVE
CVE-2023-0721

Classification

Type
CSV INJECTION
OWASP top 10
A1: Injection
CWE
CWE-1236
CVSS
8.3 (high)

Miscellaneous

Original Researcher
Ramuel Gall
Verified
No
WPVDB ID
d7aad042-0b53-40c3-9f91-06fb32ad8ccb

Timeline

Publicly Published
2023-06-08 (about 2 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2024-01-26 (about 2 years ago)

Other

Published
Title
Published
2024-06-06
Title
WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection
Published
2023-01-27
Title
Site Reviews < 6.4.0 - Unauthenticated CSV Injection
Published
2025-08-11
Title
AnWP Football Leagues < 0.16.18 - Authenticated (Administrator+) CSV Injection
Published
2020-12-18
Title
Ultimate SMS Notifications for WooCommerce < 1.4.2 - CSV Injection
Published
2023-02-06
Title
Email Subscribers & Newsletters < 5.5.3 - Improper Neutralization of Formula Elements in a CSV File