Elementor WordPress Contact Form Plugin Vulnerability Exposes Up To 200,000 Sites

credit: Roger Montti

Metform Elementor Contact Form Builder plugin vulnerability exposes up to 200,000 WordPress websites to XSS vulnerability

The United States National Vulnerability Database published an advisory of an XSS vulnerability affecting the popular Metform Elementor Contact Form Builder, which exposes over 200,000 active installs to the vulnerability.

Stored Cross Site Scripting (XSS)

A stored XSS vulnerability is one in which a website fails to properly secure an input, like a submission form, which allows a hacker to upload a malicious script to the server.

The non-profit Open Worldwide Application Security Project (OWASP) describes the Cross Site Scripting vulnerability:

“An attacker can use XSS to send a malicious script to an unsuspecting user.

The end user’s browser has no way to know that the script should not be trusted, and will execute the script.

Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.”

What Caused the Vulnerability

What caused the vulnerability is a coding issue in the plugin that failed to check for and block unwanted inputs through the contact submission form.

Move Your Business Forward With Content Marketing
Enhance your online visibility, reach new customers, and drive sales with this all-in-one content marketing toolkit.

This process for checking for and blocking unwanted uploads is called sanitization.

A second problem was a failure by the plugin to secure the data that is output by the plugin. This is called escaping output.

WordPress publishes a developer page about escaping data, which explains:

“Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags. This process helps secure your data prior to rendering it for the end user.”

Failure to sanitize inputs to escape outputs are the two main issues that led to the vulnerability.

The National Vulnerability Database warning explains:

“The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via text areas on forms in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping.

This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, which is the submissions page.”

If you or your company feel you have fallen victim to this, please contact the experts at SPYDER to see if we can help you, 833 377 9337 or info@spyderwebmarketing.com.