High-Severity XSS Vulnerability in Metform Elementor Contact Form Builder

On January 4, 2023, independent security researcher Mohammed Chemouri reached out to the Wordfence Vulnerability Disclosure program to responsibly disclose and request a CVE ID for a vulnerability in Metform Elementor Contact Form Builder, a WordPress plugin with over 100,000 installations.

The vulnerability, an unauthenticated stored cross-site scripting vulnerability, is arguably the most dangerous variant of cross-site scripting as it provides the easiest path to site takeover, and has been assigned an identifier of CVE-2023-0084.

Mohammed reached out to the plugin developer independently the same day and a patched version was made available a few days later, on January 8, 2023.

All Wordfence users, including Wordfence free as well as Wordfence Premium, Wordfence Care, and Wordfence Response, are protected against this vulnerability by the Wordfence Firewall’s built-in Cross-Site Scripting protection. However, the Wordfence Threat Intelligence team became aware of a possible bypass and released a firewall rule to Wordfence Premium, Wordfence Care, and Wordfence Response users on February 3, 2023.

This additional protection will become available to Wordfence free users after 30 days, on March 5, 2023, but Wordfence free users can simply update the Metform plugin to the latest version which is 3.2.1 at the time of this writing to gain protection against this vulnerability. We highly recommend that Wordfence Premium, Care, and Response users update as well as the update contains a number of additional bugfixes.


Description: Unauthenticated Stored Cross-Site Scripting
Affected Plugin: Metform Elementor Contact Form Builder
Plugin Slug: metform
Affected Versions: <= 3.1.2
CVE ID: CVE-2023-0084
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Mohammed El Amin, Chemouri
Fully Patched Version: 3.2.0

The Metform Elementor Contact Form Builder plugin allows site builders to create highly functional contact forms. Unfortunately, vulnerable versions of the Metform plugin fail to escape submitted form entries when displaying them in the admin panel.
This meant that any site visitor could fill out a contact form with malicious JavaScript, and that the script would execute in the browser of any administrator viewing that form entry.

A form entry showing a JavaScirpt alert popup

While sanitizing input may also have helped, escaping output is much more important for preventing Cross-Site Scripting as bypasses are far less common.

The patched version updated the format_form_data function to escape the output form data in order to address this issue.

A diff showing the patched code

An attacker able to execute JavaScript in the browser of an administrator can use it to take over a website via several methods, including by adding a new malicious administrator or injecting a backdoor into a plugin or theme on the site. Unauthenticated Stored Cross-Site Scripting vulnerabilities are the most dangerous variant of Cross-Site Scripting for WordPress sites as they are much easier for attackers to automatically exploit en masse without needing an existing user account.

Timeline

January 4, 2023 – Mohammed Chemouri responsibly discloses the vulnerability to the plugin vendor and our Vulnerability Disclosure program.
January 8, 2023 – A patched version of the Metform plugin, 3.2.0, is made available.
February 3, 2023 – The Wordfence Threat Intelligence team discovers a potential bypass of the existing Cross-Site Scripting rule and releases an additional firewall rule to Wordfence Premium, Care, and Response sites.
March 5, 2023 – The firewall rule becomes available to Wordfence free users.

Conclusion

In today’s post we detailed an unauthenticated stored Cross-Site Scripting vulnerability in the Metform plugin discovered and responsibly disclosed by independent security researcher Mohammed Chemouri. The Wordfence firewall’s built-in Cross-Site Scripting protection should provide coverage for all Wordfence users including those using Wordfence free.

While we did find a potential bypass and deploy an additional rule to cover it, we have not seen this vulnerability exploited at a large scale in the wild, and have not seen any instances of the bypass being exploited. Nonetheless, we strongly recommend updating to the latest version of the Metform Elementor Contact Form Builder plugin, which is 3.2.1 at the time of this writing.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Metform Elementor Contact Form Builder as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.

Did you enjoy this post? Share it!

Comments

No Comments