Filtered by vendor Wpmet Subscriptions
Filtered by product Metform Elementor Contact Form Builder Subscriptions

Search

Switch to Advanced Search (Beta)
Total 24 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-4266 1 Wpmet 1 Metform Elementor Contact Form Builder 2026-04-08 5.3 Medium
The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.8.8 via the 'handle_file' function. This can allow unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users.
CVE-2023-0710 1 Wpmet 1 Metform Elementor Contact Form Builder 2026-04-08 4.9 Medium
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'fname' attribute of the 'mf_thankyou' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victim visits a a page containing the shortcode when the submission id is present in the query string. Note that getting the JavaScript to execute requires user interaction as the victim must visit a crafted link with the form entry id, but the script itself is stored in the site database. Additionally this requires successful payment, increasing the complexity.
CVE-2023-0714 1 Wpmet 1 Metform Elementor Contact Form Builder 2026-04-08 8.1 High
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Arbitrary File Upload due to insufficient file type validation in versions up to, and including, 3.2.4. This allows unauthenticated visitors to perform a "double extension" attack and upload files containing a malicious extension but ending with a benign extension, which may make remote code execution possible in some configurations.
CVE-2023-1843 1 Wpmet 1 Metform Elementor Contact Form Builder 2026-04-08 6.5 Medium
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized permalink structure update due to a missing capability check on the permalink_setup function in versions up to, and including, 3.3.0. This makes it possible for unauthenticated attackers to change the permalink structure.