CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

ATTACKERKB•added 2023/06/09 6:15 a.m.•2 views

CVE-2023-0691

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mflastname' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary...

4.3CVSS6AI score0.00249EPSS

Exploits0References4

Prion•added 2023/06/09 6:15 a.m.•19 views

Information disclosure

4CVSS6AI score0.00473EPSS

4.4CVSS7.9AI score0.00826EPSS

Input validation

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to CSV injection in versions up to, and including, 3.3.0. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and...

Prion•added 2023/06/09 6:15 a.m.•21 views

Cross site scripting

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject...

4.9CVSS5.2AI score0.00153EPSS

Exploits0References2Affected Software1

Prion•added 2023/06/09 6:15 a.m.•18 views

Cross site scripting

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mflastname' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to injec...

4.9CVSS5.2AI score0.00171EPSS

Prion•added 2023/06/09 6:15 a.m.•23 views

Design/Logic Flaw

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about any standard form...

4CVSS4.2AI score0.00322EPSS

4CVSS4.3AI score0.00322EPSS

Information disclosure

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mftransactionid' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the...

Prion•added 2023/06/09 6:15 a.m.•14 views

Design/Logic Flaw

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized permalink structure update due to a missing capability check on the permalinksetup function in versions up to, and including, 3.3.0. This makes it possible for unauthenticated attackers to change the...

5CVSS5.1AI score0.00137EPSS

4CVSS4.3AI score0.00249EPSS

Information disclosure

Prion•added 2023/06/09 6:15 a.m.•16 views

Information disclosure

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mfpaymentstatus' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the...

4CVSS4.3AI score0.00249EPSS

Prion•added 2023/06/09 6:15 a.m.•19 views

Cross site scripting

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'fname' attribute of the 'mfthankyou' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level...

4.9CVSS5.2AI score0.00104EPSS

Exploits0References2Affected Software1

4.9CVSS5.2AI score0.00171EPSS

Cross site scripting

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mffirstname' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inje...

Cvelist•added 2023/06/09 5:33 a.m.•17 views

CVE-2023-0692 Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_payment_status' shortcode

4.3CVSS5AI score0.00249EPSS

CVE•added 2023/06/09 5:33 a.m.•56 views

CVE-2023-0692

CVE-2023-0692 affects WordPress plugin Metform Elementor Contact Form Builder for WordPress (≤ 3.3.1). The issue is an information disclosure via the mf_payment_status shortcode, enabling authenticated users with subscriber-level capabilities or higher to view sensitive payment-status data of arb...

4.3CVSS5.2AI score0.00249EPSS

Vulnrichment•added 2023/06/09 5:33 a.m.•21 views

CVE-2023-0692 Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_payment_status' shortcode

4.3CVSS6.7AI score0.00249EPSS

Vulnrichment•added 2023/06/09 5:33 a.m.•32 views

CVE-2023-0721 Metform Elementor Contact Form Builder <= 3.3.0 - Unauthenticated CSV Injection

8.3CVSS7.5AI score0.00826EPSS

CVE•added 2023/06/09 5:33 a.m.•71 views

CVE-2023-0721

The Metform Elementor Contact Form Builder plugin for WordPress is affected by CVE-2023-0721 (affected versions up to and including 3.3.0). The underlying issue is CSV injection in exported CSV files, allowing unauthenticated input to be embedded in CSVs, which can lead to code execution when the...

8.3CVSS8.1AI score0.00826EPSS

Cvelist•added 2023/06/09 5:33 a.m.•23 views

CVE-2023-0721 Metform Elementor Contact Form Builder <= 3.3.0 - Unauthenticated CSV Injection

8.3CVSS8.7AI score0.00826EPSS

CVE•added 2023/06/09 5:33 a.m.•41 views

CVE-2023-0708

The Metform Elementor Contact Form Builder for WordPress is affected by a Cross-Site Scripting vulnerability (CVE-2023-0708) in versions up to and including 3.3.0. The issue arises from the mf_first_name shortcode echoing unescaped form submissions, allowing an authenticated attacker with contrib...

5.4CVSS5.7AI score0.00171EPSS