The U.S. government National Vulnerability Database (NVD) issued an advisory about a vulnerability affecting Metform Elementor Contact Form Builder WordPress plugin that could leak sensitive information.
Metform Elementor Contact Form Builder for WordPress
The Metform Elementor Contact Form builder is a third party add-on to the popular Elementor page builder plugin with over over 200,000 installations.
It offers a drag-and-drop interface that makes it easy to build contact forms, including multi-step forms.
The Metform contact form builder WordPress plugin for Elementor allows beginners with no coding skills to create surveys forms, contact forms, referral feedback forms and also can save a form so that a user can return to the form if they lose and regain Internet connection.
According to the official WordPress plugin repository:
“MetForm, the drag-and-drop WordPress contact form builder is an addon for Elementor, build any fast and secure contact form on the fly with its drag-and-drop flexibility.
It can manage multiple contact forms, and you can customize the multi step form with an Elementor builder.”
Information Disclosure Vulnerability
The vulnerability allows an attacker to obtain sensitive information.
This vulnerability is rated by the NVD as a medium level threat because it requires an attacker to obtain a subscriber-level or higher user role.
A subscriber-level user role is a relatively low bar for activating the exploit, as it’s easier to obtain than an admin or editor level user role.
An attacker only needs to subscribe to a website in order to be able to launch an attack.
Elementor’s website describes the subscriber user role:
“A WordPress subscriber is a site user who can only edit their profile, read posts, and leave comments.
WordPress uses the concept of ‘roles’ to enable a site owner to control and manage what set of tasks (capabilities) users can do or not do within the site.
A subscriber is the lowest level of user role with the fewest permissions.”
Thus, an attacker can begin hacking the site with the lowest level user role.
The NVD describes the threat:
“The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the ‘mf_first_name’ shortcode in versions up to, and including, 3.3.1.
This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, including the submitter’s first name.”
Update Plugin To Mitigate Attack Threat
This vulnerability affects Metform Elementor Contact Form Builder plugin versions up to and including 3.3.1.
The most current version of the plugin is 3.4.0.
Metform Elementor Contact Form Builder Version 3.3.2 is the version that fixed the vulnerability.
According to the official Metform Elementor Contact Form Builder Changelog:
…Improved: Security, nonce and authorization checking.”
Read the official NVD advisory:
Featured image by Shutterstock/pedrorsfernandes