CVE-2023-0084

HIGH

Metform Elementor Contact Form Builder <3.1.2 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-0084. PoCs published by Mohammed Chemouri.

AI-analyzed exploit summary This is a writeup describing an unauthenticated stored XSS vulnerability in Metform Elementor Contact Form Builder v3.1.2. The exploit involves injecting malicious JavaScript via a text-area field, which executes when viewed in the admin panel.

Description

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via text areas on forms in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, which is the submissions page.

Exploits (1)

exploitdb WRITEUP
by Mohammed Chemouri · textwebappsphp
https://www.exploit-db.com/exploits/51204

This is a writeup describing an unauthenticated stored XSS vulnerability in Metform Elementor Contact Form Builder v3.1.2. The exploit involves injecting malicious JavaScript via a text-area field, which executes when viewed in the admin panel.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Metform Elementor Contact Form Builder <= 3.1.2
No auth needed
Prerequisites: Access to a form created with Metform Elementor Contact Form Builder
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 7.2
EPSS 0.2857
EPSS Percentile 97.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
roxnor/MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor < 3.1.2
wpmet/metform_elementor_contact_form_builder < 3.1.2
Published Mar 02, 2023
Tracked Since Feb 18, 2026