CVE-2023-0721

2023-06-0906:15:53

[email protected]

web.nvd.nist.gov

metform

elementor

contact form builder

wordpress

csv injection

vulnerability

code execution

unauthenticated attackers

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.2%

JSON

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to CSV injection in versions up to, and including, 3.3.0. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Affected configurations

Vulners

NVD

Node

xpeedstudiometform_elementor_contact_form_builder_–_flexible_and_design-friendly_contact_form_builder_plugin_for_wordpressRange≤3.3.0

CPENameOperatorVersion
wpmet:metform_elementor_contact_form_builderwpmet metform elementor contact form builderle3.3.0

CPE	Name	Operator	Version
wpmet:metform_elementor_contact_form_builder	wpmet metform elementor contact form builder	le	3.3.0

CNA Affected

[
  {
    "vendor": "xpeedstudio",
    "product": "Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "3.3.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]