An XSS vulnerability in the popular Metform Elementor Contact Form Builder plugin, affecting over 200,000 active installs, was recently advised by the United States National Vulnerability Database. This type of vulnerability, known as stored XSS, allows hackers to upload malicious scripts to a website’s server through an insecure input field, such as a submission form. When a user visits the website, the script is executed by their browser, potentially allowing the hacker to steal sensitive information or gain website permissions. The vulnerability is of particular concern as it is unauthenticated, meaning the attacker does not require website permissions to exploit it. The vulnerability was assigned a threat score of 7.2 out of 10.
The vulnerability was caused by a coding issue in the plugin that failed to properly sanitize input data and escape output data, which are the processes of removing unwanted data and securing output data, respectively. The plugin developers issued several updates to fix the vulnerability, including improved security and sanitization in version 3.2.0, a fix for a security permission issue for REST API endpoint in version 3.2.2, and fixes for escaping and form submission issues in version 3.2.3, which is the fully patched version. WordPress publishers using the Metform Elementor Contact Form Builder plugin are advised to update to version 3.2.3 to ensure their website is secure.