CVE-2023-6788: 
WordPress vulnerability analysis and mitigation

The Metform Elementor Contact Form Builder plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 3.8.1. This vulnerability was discovered and reported by Wordfence, with CVE-2023-6788 being assigned on January 8, 2024 (NVD).

The vulnerability stems from missing or incorrect nonce validation on the contents function. The CVSS v3.1 base score is 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N, indicating that the vulnerability can be exploited remotely and requires user interaction (Wordfence).

If exploited, this vulnerability allows unauthenticated attackers to update specific Hubspot-related options including 'mf_hubsopt_token', 'mf_hubsopt_refresh_token', 'mf_hubsopt_token_type', and 'mf_hubsopt_expires_in' through a forged request. This could enable attackers to connect their own Hubspot account to a victim site's metform installation, potentially gaining access to leads and contacts (NVD).

The vulnerability has been patched in the plugin's source code. Users should update their Metform Elementor Contact Form Builder plugin to a version newer than 3.8.1 to protect against this vulnerability (WordPress Plugin).