A vulnerability is affecting the Metform Elementor Contact Form Builder WordPress plugin. That potentially revealing private data was warned about by the US National Vulnerability Database (NVD).
WordPress’s Metform Elementor Contact Form Builder is a third-party add-on. For the well-liked Elementor page builder plugin, which has more than 200,000 installations. With its drag-and-drop interface, it is simple to create contact forms, even ones with multiple steps.
Beginners who lack coding abilities can construct surveys, contact forms, and referral feedback forms. And more with the help of the Metform contact form builder WordPress plugin for Elementor. Users can also save a form so they can access it again if they lose and regain Internet connection.
Vulnerability to Information Disclosure
An attacker could use the vulnerability to get private data. Due to the requirement that an attacker secures a subscriber-level or higher user status, the NVD has classified this vulnerability as posing a medium-level threat.
As it is simpler to obtain than an admin or editor-level user role, a subscriber-level user role is a relatively low threshold for activating the exploit. An attack can start by an attacker with just one website subscription.
The subscriber user role is described on the Elementor website as follows:
A user of the website who is a WordPress subscriber can only change their profile, read posts, and leave comments.
WordPress employs the idea of “roles” to provide site owners control over and management over the range of actions (or “capabilities”) that users are permitted to perform on the website.
The user role with the fewest permissions at the lowest level is a subscriber.
Update Plugin To Reduce Attack Risk
This vulnerability affects up to and including version 3.3.1 of the Metform Elementor Contact Form Builder plugin. 3.4.0 is the most recent release of the plugin. The vulnerability was addressed in Metform Elementor Contact Form Builder 3.3.2.