CVE-2023-0714: 
WordPress vulnerability analysis and mitigation

The Metform Elementor Contact Form Builder for WordPress plugin is vulnerable to Arbitrary File Upload in versions up to and including 3.2.4. This vulnerability, identified as CVE-2023-0714, was discovered in August 2024 and allows unauthenticated visitors to perform a 'double extension' attack (NVD, WPScan).

The vulnerability stems from insufficient file type validation in the plugin's file upload functionality. Attackers can exploit this by uploading files with a malicious extension followed by a benign extension, potentially leading to remote code execution in certain configurations. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. It is classified as CWE-434: Unrestricted Upload of File with Dangerous Type (NVD).

If successfully exploited, this vulnerability could allow attackers to upload malicious files to the target system, potentially leading to remote code execution. The high CVSS score indicates that the vulnerability could result in a significant compromise of system confidentiality, integrity, and availability (NVD).

The vulnerability has been fixed in version 3.3.0 of the Metform Elementor Contact Form Builder plugin. Users are advised to update to this version or later to protect against potential attacks (WPScan).