CVE-2024-33570 – This CVE describes a Missing Authorization vuln... (How to Fix)

Q: What is the severity of CVE-2024-33570?

CVE-2024-33570 has a CVSS score of 4.3 (MEDIUM). This CVE describes a Missing Authorization vulnerability in the Metform Elementor Contact Form Builder plugin for WordPress, allowing unauthorized users to perform actions intended only for authenticated users. It affects all versions up to 3.8.3, potentially compromising websites using this plugin.

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the Metform Elementor Contact Form Builder plugin for WordPress, allowing unauthorized users to perform actions intended only for authenticated users. It affects all versions up to 3.8.3, potentially compromising websites using this plugin.

💻 Affected Systems

Products:

Wpmet Metform Elementor Contact Form Builder

Versions: from n/a through 3.8.3

Operating Systems: All, as it's a WordPress plugin

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress sites with the Metform plugin installed; no specific OS dependencies.

📦 What is this software?

Metform Elementor Contact Form Builder by Wpmet

View all CVEs affecting Metform Elementor Contact Form Builder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could manipulate form submissions, access sensitive form data, or modify plugin settings, leading to data leakage or website defacement.

🟠

Likely Case

Unauthorized access to form entries or settings, resulting in privacy violations or minor site disruptions.

🟢

If Mitigated

With proper access controls, impact is limited to low-risk actions like viewing non-sensitive data.

🌐 Internet-Facing: HIGH, as WordPress sites are typically internet-facing and the vulnerability can be exploited remotely.

🏢 Internal Only: LOW, as internal-only deployments reduce external attack surface but risk remains if internal users are malicious.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation likely involves simple HTTP requests to bypass authorization checks, but no public proof-of-concept is confirmed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.8.4 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/metform/wordpress-metform-plugin-3-8-3-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins > Installed Plugins. 3. Find 'Metform Elementor Contact Form Builder' and update to version 3.8.4 or higher. 4. Verify update completes successfully.

🔧 Temporary Workarounds

Disable Plugin Temporarily

all

Deactivate the Metform plugin to prevent exploitation until patched.

wp plugin deactivate metform

🧯 If You Can't Patch

Restrict access to the WordPress admin area using IP whitelisting or firewall rules.
Monitor logs for unauthorized access attempts to form-related endpoints.

🔍 How to Verify

Check if Vulnerable:

Check the plugin version in WordPress admin under Plugins > Installed Plugins; if version is 3.8.3 or lower, it is vulnerable.

Check Version:

wp plugin get metform --field=version

Verify Fix Applied:

After updating, confirm the plugin version is 3.8.4 or higher in the same location.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to Metform-specific endpoints from unauthenticated IPs
Failed authorization attempts in WordPress logs

Network Indicators:

HTTP traffic to /wp-content/plugins/metform/ from unauthorized sources

SIEM Query:

source="wordpress.log" AND (uri="/wp-admin/admin-ajax.php" AND action LIKE "%metform%") AND user="-"

📊 Metadata

CVE ID: CVE-2024-33570

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: May 6, 2024

Last Updated: February 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33570, you might also want to check these: