MetForm Vulnerability – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor – Authenticated Stored Cross-Site Scripting via Widgets – CVE-2024-2791 | WordPress Plugin Vulnerability Report
Plugin Name: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Key Information:
- Software Type: Plugin
- Software Slug: metform
- Software Status: Active
- Software Author: XpeedStudio
- Software Downloads: 3,334,058
- Active Installs: 300,000
- Last Updated: April 4, 2024
- Patched Versions: 3.8.6
- Affected Versions: <= 3.8.5
Vulnerability Details:
- Name: Metform Elementor Contact Form Builder <= 3.8.5
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Widgets
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-2791
- CVSS Score: 6.4
- Publicly Published: April 1, 2024
- Researcher: Dau Hoang Tai - VCI
- Description: The MetForm plugin, an advanced form builder for WordPress, has been identified with a Stored Cross-Site Scripting (XSS) vulnerability in its widgets. This flaw stems from insufficient sanitization of user-supplied attributes, enabling authenticated users with contributor-level permissions to execute arbitrary scripts, compromising site security and user data.
Summary:
The widely utilized MetForm plugin harbors a critical vulnerability in versions up to 3.8.5, known as CVE-2024-2791. This security gap allows for Stored XSS attacks through the plugin's widgets, presenting significant risks to both website integrity and user privacy. Fortunately, this concern has been effectively addressed in the latest version, 3.8.6, emphasizing the necessity of timely updates.
Detailed Overview:
Discovered by the vigilant researcher Dau Hoang Tai, this vulnerability exposes websites to potential unauthorized script executions, which could lead to data breaches, site defacement, or more sophisticated attacks such as phishing campaigns. The nature of Stored XSS means the malicious code persists within the website’s content, activating each time an affected page is accessed by users. The release of version 3.8.6 is a vital update that mitigates this vulnerability, ensuring better protection for WordPress sites employing MetForm.
Advice for Users:
- Immediate Action: Users of the MetForm plugin are strongly advised to update to version 3.8.6 without delay to safeguard their sites against potential exploits stemming from CVE-2024-2791.
- Check for Signs of Vulnerability: Website administrators should conduct thorough reviews for any unusual content changes or script injections, indicative of exploitation.
- Alternate Plugins: Although the vulnerability has been patched, exploring alternative form builder plugins could serve as a prudent precautionary measure.
- Stay Updated: Maintaining the latest versions of all WordPress plugins is essential in ensuring a secure and reliable website environment.
Conclusion:
The swift action taken by XpeedStudio to rectify the CVE-2024-2791 vulnerability in the MetForm plugin underscores the critical importance of software updates in maintaining website security. By ensuring that the MetForm plugin is updated to version 3.8.6 or later, users can enhance their defenses against this and other potential vulnerabilities, securing their WordPress installations in an increasingly hostile digital landscape.