CVE-2023-0714
Published: 17 August 2024
Summary
CVE-2023-0714 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wpmet Metform Elementor Contact Form Builder. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Metform Elementor Contact Form Builder plugin for WordPress is affected by an arbitrary file upload vulnerability (CWE-434) stemming from insufficient file type validation. The flaw impacts all versions through 3.2.4 and permits a double-extension bypass that can lead to remote code execution under certain server configurations. The issue carries a CVSS 3.1 score of 8.1 with network attack vector, high complexity, and no required privileges or user interaction.
Unauthenticated visitors can exploit the weakness by uploading files that embed a malicious extension behind a benign one, potentially achieving code execution on the host if the web server processes the uploaded content. The attack requires no authentication and targets publicly reachable contact-form endpoints.
Public references, including Wordfence advisory 697ce433-f321-4977-a2ad-68369d9ce9c3 and the plugin's Trac changeset 2896914, indicate that the vendor addressed the validation logic in a subsequent release; site operators are expected to apply the available plugin update to eliminate the upload path.
EPSS remains flat at a peak and current value of 0.1392 with no material upward movement after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-12742
Vulnerability details
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Arbitrary File Upload due to insufficient file type validation in versions up to, and including, 3.2.4. This allows unauthenticated visitors to perform a "double extension" attack and upload files…
more
containing a malicious extension but ending with a benign extension, which may make remote code execution possible in some configurations.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.