CVE-2023-0721
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious formulas into CSV files exported by the Metform Elementor Contact Form Builder WordPress plugin. When victims download and open these CSV files in spreadsheet applications like Excel or LibreOffice, the embedded formulas can execute arbitrary code on their local systems. WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Metform Elementor Contact Form Builder for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on victim's local machine when they open a malicious CSV file, potentially leading to full system compromise, data theft, or ransomware deployment.
Likely Case
Attackers trick users into downloading and opening malicious CSV files, leading to local code execution, data exfiltration, or credential theft from the victim's workstation.
If Mitigated
With proper security controls, CSV files are opened in safe viewers or sandboxed environments, preventing formula execution and limiting impact to data manipulation.
🎯 Exploit Status
CSV injection is a well-known technique requiring minimal technical skill to weaponize against spreadsheet users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.1 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2907471/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Metform Elementor Contact Form Builder'. 4. Click 'Update Now' if available, or manually update to version 3.3.1+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable CSV Export
allTemporarily disable the plugin's CSV export functionality until patched.
Restrict Export Access
linuxUse WordPress role capabilities or .htaccess rules to restrict access to export endpoints to authenticated administrators only.
# Example .htaccess rule to restrict /wp-content/plugins/metform/ paths
RewriteCond %{REQUEST_URI} ^.*metform.*export\.php$
RewriteRule .* - [F,L]
🧯 If You Can't Patch
- Disable or uninstall the Metform plugin entirely and use an alternative contact form solution.
- Implement strict user education policies prohibiting opening CSV files from untrusted sources in spreadsheet applications.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Metform version. If version is 3.3.0 or lower, the site is vulnerable.Check Version:
wp plugin list --name=metform --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm plugin version is 3.3.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual access to /wp-content/plugins/metform/core/entries/export.php from unauthenticated IPs
- Multiple CSV download requests from single IPs
Network Indicators:
- HTTP GET requests to export.php with suspicious query parameters
- CSV file downloads containing formula characters like =, +, -, @
SIEM Query:
source="web_access.log" AND uri="/wp-content/plugins/metform/core/entries/export.php" AND status=200 AND NOT user_agent="WordPress/*"🔗 References
- https://plugins.trac.wordpress.org/browser/metform/trunk/core/entries/export.php?rev=2845078
- https://plugins.trac.wordpress.org/changeset/2907471/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ccd85a72-1872-4c4f-8ba7-7f91b0b37d4a?source=cve
- https://plugins.trac.wordpress.org/browser/metform/trunk/core/entries/export.php?rev=2845078
- https://plugins.trac.wordpress.org/changeset/2907471/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ccd85a72-1872-4c4f-8ba7-7f91b0b37d4a?source=cve
