The United States National Vulnerability Database published an advisory of an XSS vulnerability affecting the popular Metform Elementor Contact Form Builder, which exposes over 200,000 active installs to the vulnerability.
Stored Cross Site Scripting (XSS)
A stored XSS vulnerability is one in which a website fails to properly secure an input, like a submission form, which allows a hacker to upload a malicious script to the server.
The script is then downloaded and executed by a site visitors browser, allowing the hacker to steal the visitors cookies or gain their website permissions, which can then lead to a website takeover.
The non-profit Open Worldwide Application Security Project (OWASP) describes the Cross Site Scripting vulnerability:
“An attacker can use XSS to send a malicious script to an unsuspecting user.
The end user’s browser has no way to know that the script should not be trusted, and will execute the script.
Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.”
There are different kinds of XSS attacks.
The vulnerability affecting the Elementor contact form plugin is called a stored XSS because the malicious script is uploaded to and stored on the website servers itself.
What makes this vulnerability of particular concern is that it’s an unauthenticated version, which means that the attacker does not need any kind of website permission in order to commence the attack.
This particular vulnerability was assigned a threat score of 7.2 on a scale of 1-10, which level 10 being the highest level.
What Caused the Vulnerability
What caused the vulnerability is a coding issue in the plugin that failed to check for and block unwanted inputs through the contact submission form.
This process for checking for and blocking unwanted uploads is called sanitization.
A second problem was a failure by the plugin to secure the data that is output by the plugin. This is called escaping output.
WordPress publishes a developer page about escaping data, which explains:
“Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags. This process helps secure your data prior to rendering it for the end user.”
Failure to sanitize inputs to escape outputs are the two main issues that led to the vulnerability.
The National Vulnerability Database warning explains:
“The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via text areas on forms in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping.
This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, which is the submissions page.”
Metform Elementor Plugin is Patched
The publishers of the Metform Elementor Contact Form Builder issued patches over the course of several versions to fix the vulnerability.
These are the updated versions of the plugin and their fixes:
- Version 3.2.0
Improved: Security and sanitization
- Version 3.2.2
Fixed: Security permission issue for REST API endpoint
- Version 3.2.3 (patched on 03-06-2023)
Fixed: Escaping issue in signature field.
Fixed: Form submission for not logged in users condition.
WordPress publishers using the Metform Elementor Contact Form Builder should consider updating their plugin to version 3.2.3, the version that is fully patched.
Read the advisory on the National Vulnerability Database website:
Read the official plugin changelog documenting the patches:
Featured image by Shutterstock/Asier Romero