On January 4, 2023, independent security researcher Mohammed Chemouri reached out to the Wordfence Vulnerability Disclosure program to responsibly disclose and request a CVE ID for a vulnerability in Metform Elementor Contact Form Builder, a WordPress plugin with over 100,000 installations.
The vulnerability, an unauthenticated stored cross-site scripting vulnerability, is arguably the most dangerous variant of cross-site scripting as it provides the easiest path to site takeover, and has been assigned an identifier of CVE-2023-0084.
Mohammed reached out to the plugin developer independently the same day and a patched version was made available a few days later, on January 8, 2023. [PYWP clients have already been upgraded to the patched version — billc]
All Wordfence users are protected against this vulnerability by the Wordfence Firewall’s built-in Cross-Site Scripting protection. However, the Wordfence Threat Intelligence team became aware of a possible bypass and released a firewall rule to Wordfence Premium users on February 3, 2023.
This additional protection will become available to Wordfence free users after 30 days, on March 5, 2023, but Wordfence free users can simply update the Metform plugin to the latest version which is 3.2.1 at the time of this writing to gain protection against this vulnerability.