CVE-2023-1843

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized permalink structure update due to a missing capability check on the permalink_setup function in versions up to, and including, 3.3.0. This makes it possible for unauthenticated attackers to change the permalink structure.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
WordfenceCNA
6.5 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
VendorProductVersion
wpmetmetform_elementor_contact_form_builder
𝑥
≤ 3.3.0
𝑥
= Vulnerable software versions
References
https://plugins.trac.wordpress.org/browser/metform/trunk/plugin.php#L544
https://plugins.trac.wordpress.org/changeset/2907471/
https://www.wordfence.com/threat-intel/vulnerabilities/id/5db00eb6-3e05-42fa-bb84-2df4bcae3955?source=cve
https://plugins.trac.wordpress.org/browser/metform/trunk/plugin.php#L544
https://plugins.trac.wordpress.org/changeset/2907471/
https://www.wordfence.com/threat-intel/vulnerabilities/id/5db00eb6-3e05-42fa-bb84-2df4bcae3955?source=cve