Cyber Resilience

CVE-2023-0714

High

Published: 17 August 2024

Published
17 August 2024
Modified
23 April 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1392 94.5th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0714 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wpmet Metform Elementor Contact Form Builder. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Metform Elementor Contact Form Builder plugin for WordPress is affected by an arbitrary file upload vulnerability (CWE-434) stemming from insufficient file type validation. The flaw impacts all versions through 3.2.4 and permits a double-extension bypass that can lead to remote code execution under certain server configurations. The issue carries a CVSS 3.1 score of 8.1 with network attack vector, high complexity, and no required privileges or user interaction.

Unauthenticated visitors can exploit the weakness by uploading files that embed a malicious extension behind a benign one, potentially achieving code execution on the host if the web server processes the uploaded content. The attack requires no authentication and targets publicly reachable contact-form endpoints.

Public references, including Wordfence advisory 697ce433-f321-4977-a2ad-68369d9ce9c3 and the plugin's Trac changeset 2896914, indicate that the vendor addressed the validation logic in a subsequent release; site operators are expected to apply the available plugin update to eliminate the upload path.

EPSS remains flat at a peak and current value of 0.1392 with no material upward movement after disclosure.

EU & UK References

Vulnerability details

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Arbitrary File Upload due to insufficient file type validation in versions up to, and including, 3.2.4. This allows unauthenticated visitors to perform a "double extension" attack and upload files…

more

containing a malicious extension but ending with a benign extension, which may make remote code execution possible in some configurations.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wpmet
metform elementor contact form builder
≤ 3.3.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References