CVE-2023-0714 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2023-0714?

CVE-2023-0714 has a CVSS score of 8.1 (HIGH). This vulnerability allows unauthenticated attackers to upload malicious files to WordPress sites using the Metform Elementor Contact Form Builder plugin. Attackers can bypass file type validation using double extension techniques, potentially leading to remote code execution. All WordPress sites running Metform plugin versions up to 3.2.4 are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to upload malicious files to WordPress sites using the Metform Elementor Contact Form Builder plugin. Attackers can bypass file type validation using double extension techniques, potentially leading to remote code execution. All WordPress sites running Metform plugin versions up to 3.2.4 are affected.

💻 Affected Systems

Products:

Metform Elementor Contact Form Builder for WordPress

Versions: Up to and including 3.2.4

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Metform Elementor Contact Form Builder by Wpmet

View all CVEs affecting Metform Elementor Contact Form Builder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete site compromise, data theft, malware distribution, or site defacement.

🟠

Likely Case

Malicious file upload leading to backdoor installation, credential theft, or site takeover.

🟢

If Mitigated

File upload attempts blocked by web application firewall or file integrity monitoring.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation makes all public-facing WordPress sites vulnerable.

🏢 Internal Only: MEDIUM - Internal sites still vulnerable but attack surface reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Double extension attacks are well-documented and easy to automate.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.5 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2896914/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Metform Elementor Contact Form Builder. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.2.5+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Metform Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate metform

Web Application Firewall Rule

all

Block file uploads with double extensions at WAF level.

Block requests with filenames containing patterns like *.php.jpg, *.php.png

🧯 If You Can't Patch

Implement strict file upload restrictions at web server level
Deploy file integrity monitoring on upload directories

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Metform version. If version ≤ 3.2.4, vulnerable.

Check Version:

wp plugin get metform --field=version

Verify Fix Applied:

Confirm plugin version is 3.2.5 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

File upload attempts with double extensions in web server logs
POST requests to /wp-content/uploads/ with suspicious filenames

Network Indicators:

Unusual file upload patterns to WordPress sites
POST requests with Content-Type: multipart/form-data containing executable extensions

SIEM Query:

source="web_server" (filename="*.php.*" OR filename="*.exe.*" OR filename="*.sh.*") AND uri_path="/wp-admin/admin-ajax.php"

📊 Metadata

CVE ID: CVE-2023-0714

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: August 17, 2024

Last Updated: April 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-0714, you might also want to check these: