CVE-2024-4266

MEDIUM

MetForm <= 3.8.8 - Unauthenticated Sensitive Information Exposure via handle_file

Title source: llm

Description

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.8.8 via the 'handle_file' function. This can allow unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users.

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/metform/trunk/core/entries/action.php#L1019

Patch

https://plugins.trac.wordpress.org/changeset/3099977/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/8edb72f5-dda3-4c59-ba7a-7a460cb59c03?source=cve

Scores

CVSS v3 5.3

EPSS 0.0055

EPSS Percentile 41.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (2)

roxnor/MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor < 3.8.8

wpmet/metform_elementor_contact_form_builder < 3.8.9

Published Jun 11, 2024

Tracked Since Feb 18, 2026