CVE-2023-0714

HIGH

Wpmet Metform Elementor Contact Form ... - Unrestricted File Upload

Title source: rule

Description

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Arbitrary File Upload due to insufficient file type validation in versions up to, and including, 3.2.4. This allows unauthenticated visitors to perform a "double extension" attack and upload files containing a malicious extension but ending with a benign extension, which may make remote code execution possible in some configurations.

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/metform/trunk/core/entries/file-data-validation.php?rev=2746287

Patch

https://plugins.trac.wordpress.org/changeset/2896914/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/697ce433-f321-4977-a2ad-68369d9ce9c3?source=cve

Scores

CVSS v3 8.1

EPSS 0.1392

EPSS Percentile 94.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

roxnor/MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor < 3.2.4

wpmet/metform_elementor_contact_form_builder < 3.3.0

Published Aug 17, 2024

Tracked Since Feb 18, 2026