Metform Elementor Contact Form Builder Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Metform Elementor Contact Form Builder plugin for WordPress, affecting all versions through 3.8.1. The vulnerability arises from inadequate nonce validation in the 'contents' function, allowing unauthenticated attackers to manipulate specific options related to HubSpot integration. By tricking a site administrator into clicking a link, an attacker could connect their HubSpot account to the victim's Metform, potentially leading to unauthorized access to leads and contacts.

Impact

Exploitation of this vulnerability could result in unauthorized updates to HubSpot integration tokens, allowing attackers to access leads and contacts from a victim's HubSpot account via the compromised Metform integration.

Reproduction

To reproduce this vulnerability, an attacker must craft a forged request that exploits the missing nonce validation in the 'contents' function. This request should be designed to update the HubSpot integration options with values that redirect to the attacker's HubSpot account. The attacker must then trick an administrator into clicking a link that triggers this request, bypassing the intended nonce protection.

Remediation

Users are advised to update the Metform Elementor Contact Form Builder plugin to version 3.8.2 or later.