CVE-2026-0633
Sensitive Information Exposure in MetForm Plugin Allows Data Access
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpmetform | metform | to 4.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the MetForm WordPress plugin allows unauthenticated attackers to access sensitive form submission data. It occurs because the plugin uses a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This flaw enables attackers to retrieve form entries created within a short time window (default 15 minutes) via MetForm shortcodes. [2]
How can this vulnerability impact me? :
The vulnerability can lead to sensitive information exposure by allowing unauthorized users to access form submission data. This could result in leakage of personal or confidential information submitted through forms, potentially compromising user privacy and trust. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the MetForm plugin to version 4.1.1 or later, which includes extensive code changes likely addressing this issue. This update modifies core files related to entries processing and shortcode handling, which are relevant to the vulnerability. [2]