Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 26 known issues Latest disclosed Jan 23, 2026

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Vulnerabilities

Q: How many MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor vulnerabilities have patch guidance?

26 of 26 tracked MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor records include a published patch path.

Review known vulnerability records for the WordPress plugin MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor (`metform`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-0633, CVE-2025-5684 and CVE-2025-30914, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Jan 24, 2026

Priority CVE Quick Links

Fast paths into MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2023-0721 High 3.3.1

CVE-2023-0721 MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Vulnerability

Metform Elementor Contact Form Builder <= 3.3.0 - Unauthenticated CSV Injection

CVE-2023-0714 High 3.3.0

CVE-2023-0714 MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Remote Code Execution

Metform Elementor Contact Form Builder <= 3.2.4 - Unauthenticated Double-Extension Arbitrary File Upload

CVE-2022-1442 High 2.1.4

CVE-2022-1442 MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Vulnerability

Metform Elementor Contact Form Builder <= 2.1.3 - Sensitive Information Disclosure

CVE-2023-0084 High 3.2.0

CVE-2023-0084 MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Stored Cross-Site Scripting

Metform Elementor Contact Form Builder <= 3.1.2 - Unauthenticated Stored Cross-Site Scripting

CVE-2023-0693 Medium 3.3.2

CVE-2023-0693 MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Authorization Bypass

Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_transaction_id' shortcode

CVE-2023-0688 Medium 3.3.2

CVE-2023-0688 MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Authorization Bypass

Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf_thankyou shortcode

CVE-2023-0694 Medium 3.3.2

CVE-2023-0694 MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Authorization Bypass

Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf shortcode

CVE-2023-1843 Medium 3.3.2

CVE-2023-1843 MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Vulnerability

Metform Elementor Contact Form Builder <= 3.3.0 - Missing Authorization

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

26 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

0 critical and 4 high severity findings.

Recent CVEs

CVE-2026-0633, CVE-2025-5684 and CVE-2025-30914

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-0633 Low Patch path listed

CVE-2026-0633: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor <= 4.1.0 - Unauthenticated Form Submission Exposure via Forgeable Cookie Value

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. Th...

Published

Jan 23, 2026

Patch Status

4.1.1

Open CVE-2026-0633 Report

CVE-2025-5684 Medium Patch path listed

CVE-2025-5684: MetForm <= 4.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via `mf-template` DOM Element

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `mf-template` DOM Element in all versi...

Published

Jul 29, 2025

Patch Status

4.0.2

Open CVE-2025-5684 Report

CVE-2025-30914 Medium Patch path listed

CVE-2025-30914: Metform <= 3.9.2 - Authenticated (Admin+) Server-Side Request Forgery

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.9.2. T...

Published

Mar 27, 2025

Patch Status

3.9.3

Open CVE-2025-30914 Report

Known Vulnerabilities

Reports for MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Sorted by latest disclosure date so newly published issues surface first.

Plugin Low Patched: Yes CVE-2026-0633

CVE-2026-0633: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor <= 4.1.0 - Unauthenticated Form Submission Exposure via Forgeable Cookie Value

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and curren...

Published

Jan 23, 2026

Patched Release

4.1.1

Affected Versions

Versions up to 4.1.0

Next Step

Update to 4.1.1 or newer if supported.

Open CVE-2026-0633 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-5684

CVE-2025-5684: MetForm <= 4.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via `mf-template` DOM Element

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `mf-template` DOM Element in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping...

Published

Jul 29, 2025

Patched Release

4.0.2

Affected Versions

Versions up to 4.0.1

Next Step

Update to 4.0.2 or newer if supported.

Open CVE-2025-5684 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-30914

CVE-2025-30914: Metform <= 3.9.2 - Authenticated (Admin+) Server-Side Request Forgery

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.9.2. This makes it possible for authenticated attackers, with Administrator-level access and abo...

Published

Mar 27, 2025

Patched Release

3.9.3

Affected Versions

Versions up to 3.9.2

Next Step

Update to 3.9.3 or newer if supported.

Open CVE-2025-30914 Report Open CVE Reference

Plugin High Patched: Yes CVE-2023-0714

CVE-2023-0714: Metform Elementor Contact Form Builder <= 3.2.4 - Unauthenticated Double-Extension Arbitrary File Upload

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Arbitrary File Upload due to insufficient file type validation in versions up to, and including, 3.2.4. This allows unauthenticated visitors to perform a "double extension" attack and upload files containin...

Published

Aug 16, 2024

Patched Release

3.3.0

Affected Versions

Versions up to 3.2.4

Next Step

Update to 3.3.0 or newer if supported.

Open CVE-2023-0714 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-4266

CVE-2024-4266: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor <= 3.8.8 - Unauthenticated Sensitive Information Exposure

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.8.8 via the 'handle_file' function. This can allow unauthenticated attackers to extract sensitive...

Published

Jun 10, 2024

Patched Release

3.8.9

Affected Versions

Versions up to 3.8.8

Next Step

Update to 3.8.9 or newer if supported.

Open CVE-2024-4266 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-33570

CVE-2024-33570: Metform Elementor Contact Form Builder <= 3.8.3 - Missing Authorization to Notice Dismissal

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the dismiss_ajax_call function in versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with...

Published

Apr 25, 2024

Patched Release

3.8.4

Affected Versions

Versions up to 3.8.3

Next Step

Update to 3.8.4 or newer if supported.

Open CVE-2024-33570 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-2791

CVE-2024-2791: Metform Elementor Contact Form Builder <= 3.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widgets

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 3.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

Published

Apr 01, 2024

Patched Release

3.8.6

Affected Versions

Versions up to 3.8.5

Next Step

Update to 3.8.6 or newer if supported.

Open CVE-2024-2791 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-1585

CVE-2024-1585: Metform Elementor Contact Form Builder <= 3.8.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This make...

Published

Mar 07, 2024

Patched Release

3.8.4

Affected Versions

Versions up to 3.8.3

Next Step

Update to 3.8.4 or newer if supported.

Open CVE-2024-1585 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-6788

CVE-2023-6788: Metform Elementor Contact Form Builder <= 3.8.1 - Cross-Site Request Forgery

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.1. This is due to missing or incorrect nonce validation on the contents function. This makes it possible for unauthenticated attac...

Published

Jan 08, 2024

Patched Release

3.8.2

Affected Versions

Versions up to 3.8.1

Next Step

Update to 3.8.2 or newer if supported.

Open CVE-2023-6788 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-50903

CVE-2023-50903: Metform Elementor Contact Form Builder <= 3.4.0 - Missing Authorization via submit

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit' function in versions up to, and including, 3.4.0. This makes it possible for unauthenticated attackers to enter for...

Published

Dec 26, 2023

Patched Release

3.4.1

Affected Versions

Versions up to 3.4.0

Next Step

Update to 3.4.1 or newer if supported.

Open CVE-2023-50903 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-0689

CVE-2023-0689: Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_first_name' shortcode

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_first_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive informa...

Published

Aug 30, 2023

Patched Release

3.3.2

Affected Versions

Versions up to 3.3.1

Next Step

Update to 3.3.2 or newer if supported.

Open CVE-2023-0689 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-2517

CVE-2023-2517: Metform Elementor Contact Form Builder <= 3.3.2 - Cross-Site Request Forgery via permalink_setup

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.2. This is due to missing or incorrect nonce validation on the permalink_setup function. This makes it possible for unauthenticated at...

Published

Jun 22, 2023

Patched Release

3.3.3

Affected Versions

Versions up to 3.3.2

Next Step

Update to 3.3.3 or newer if supported.

Open CVE-2023-2517 Report Open CVE Reference