The Metform Elementor Contact Form Builder for WordPress is vulnerable to Arbitrary File Upload due to insufficient file type validation in versions up to, and including, 3.2.4. This allows unauthenticated visitors to perform a "double extension" attack and upload files containing a malicious extension but ending with a benign extension, which may make remote code execution possible in some configurations.
Metrics
Affected Vendors & Products
Advisories
Source | ID | Title |
---|---|---|
![]() |
EUVD-2023-12742 | The Metform Elementor Contact Form Builder for WordPress is vulnerable to Arbitrary File Upload due to insufficient file type validation in versions up to, and including, 3.2.4. This allows unauthenticated visitors to perform a "double extension" attack and upload files containing a malicious extension but ending with a benign extension, which may make remote code execution possible in some configurations. |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Mon, 19 Aug 2024 19:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Wpmet
Wpmet metform Elementor Contact Form Builder |
|
CPEs | cpe:2.3:a:wpmet:metform_elementor_contact_form_builder:*:*:*:*:*:wordpress:*:* | |
Vendors & Products |
Wpmet
Wpmet metform Elementor Contact Form Builder |
|
Metrics |
ssvc
|
Sat, 17 Aug 2024 09:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Metform Elementor Contact Form Builder for WordPress is vulnerable to Arbitrary File Upload due to insufficient file type validation in versions up to, and including, 3.2.4. This allows unauthenticated visitors to perform a "double extension" attack and upload files containing a malicious extension but ending with a benign extension, which may make remote code execution possible in some configurations. | |
Title | Metform Elementor Contact Form Builder <= 3.2.4 - Unauthenticated Double-Extension Arbitrary File Upload | |
Weaknesses | CWE-434 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2024-08-19T18:19:24.186Z
Reserved: 2023-02-07T16:02:24.488Z
Link: CVE-2023-0714

Updated: 2024-08-19T18:19:13.059Z

Status : Analyzed
Published: 2024-08-17T10:15:06.147
Modified: 2025-04-23T17:30:05.137
Link: CVE-2023-0714

No data.

No data.