Filtered by vendor Wpmet Subscriptions
Filtered by product Metform Elementor Contact Form Builder Subscriptions

Search

Switch to Advanced Search (Beta)
Total 24 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-0693 1 Wpmet 1 Metform Elementor Contact Form Builder 2026-04-08 6.5 Medium
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_transaction_id' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the transaction ids of arbitrary form submissions that included payment.
CVE-2023-0084 1 Wpmet 1 Metform Elementor Contact Form Builder 2026-04-08 7.2 High
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via text areas on forms in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, which is the submissions page.
CVE-2022-1442 1 Wpmet 1 Metform Elementor Contact Form Builder 2026-04-08 7.5 High
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.
CVE-2023-0714 1 Wpmet 1 Metform Elementor Contact Form Builder 2026-04-08 8.1 High
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Arbitrary File Upload due to insufficient file type validation in versions up to, and including, 3.2.4. This allows unauthenticated visitors to perform a "double extension" attack and upload files containing a malicious extension but ending with a benign extension, which may make remote code execution possible in some configurations.