CVE-2023-0709 MEDIUM

CVE-2023-0709: Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode

Vendor Roxnor
Product MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Weakness CWE-79 · XSS
Published June 9, 2023
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf_last_name' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victim visits a a page containing the shortcode when the submission id is present in the query string. Note that getting the JavaScript to execute requires user interaction as the victim must visit a crafted link with the form entry id, but the script itself is stored in the site database.

Key dates

02Disclosure timeline

June 9, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-12079 WP Twitter Auto Publish <= 1.7.4 - Reflected Cross-Site Scripting via PostMessage CVE-2022-37404 WordPress add2fav plugin <= 1.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability CVE-2024-37114 WordPress My Favorites plugin <= 1.4.3 - Cross Site Scripting (XSS) vulnerability CVE-2025-3219 CodeCanyon Perfex CRM Project Discussions Module 2 cross site scripting CVE-2024-2732 Themify Shortcodes <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting