Metform Elementor Contact Form Builder plugin vulnerability exposes up to 200,000 WordPress websites to XSS vulnerability
The United States National Vulnerability Database published an advisory of an XSS vulnerability affecting the popular Metform Elementor Contact Form Builder, which exposes over 200,000 active installs to the vulnerability.
Stored Cross Site Scripting (XSS)
A stored XSS vulnerability is one in which a website fails to properly secure an input, like a submission form, which allows a hacker to upload a malicious script to the server.
The script is then downloaded and executed by a site visitors browser, allowing the hacker to steal the visitors cookies or gain their website permissions, which can then lead to a website takeover.
The non-profit Open Worldwide Application Security Project (OWASP) describes the Cross Site Scripting vulnerability:
“An attacker can use XSS to send a malicious script to an unsuspecting user.
The end user’s browser has no way to know that the script should not be trusted, and will execute the script.
Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.”
What Caused the Vulnerability
What caused the vulnerability is a coding issue in the plugin that failed to check for and block unwanted inputs through the contact submission form.
Move Your Business Forward With Content Marketing
Enhance your online visibility, reach new customers, and drive sales with this all-in-one content marketing toolkit.
This process for checking for and blocking unwanted uploads is called sanitization.
A second problem was a failure by the plugin to secure the data that is output by the plugin. This is called escaping output.
WordPress publishes a developer page about escaping data, which explains:
“Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags. This process helps secure your data prior to rendering it for the end user.”
Failure to sanitize inputs to escape outputs are the two main issues that led to the vulnerability.
The National Vulnerability Database warning explains:
“The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via text areas on forms in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping.
This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, which is the submissions page.”
If you or your company feel you have fallen victim to this, please contact the experts at SPYDER to see if we can help you, 833 377 9337 or firstname.lastname@example.org.
Jim is a Senior Digital Marketing Strategist Spyder Digital and has over 19 years of experience in the field. His insight and ability to drive new business for his clients from the Internet is unparalleled.
About SPYDER, web marketing agency
We are a digital marketing company with a focus on helping our customers achieve great results from various Internet marketing services across several key areas. 833 377 9337
The team at SPYDER truly appreciates you stopping by to visit and check out our services. We understand there are many companies in the digital marketing arena today to choose from and we would like the opportunity to earn your business. We look forward to speaking with you about your goals and marketing needs and helping you achieve them.