CVE-2026-24610
Deferred Deferred - Pending Action
Subscriber Broken Access Control in MetForm Pro

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Subscriber Broken Access Control in MetForm Pro <= 3.9.1 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-24610
EUVD
EUVD-2026-37664
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
metform pro to 3.9.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in MetForm Pro Plugin versions up to 3.9.1 is a Broken Access Control issue. It allows users with low privileges, such as those assigned the Subscriber role, to perform actions that normally require higher privileges. This happens because the plugin lacks proper authorization checks.

Impact Analysis

This vulnerability can allow unprivileged users to perform unauthorized actions within the WordPress site using the MetForm Pro plugin. Although the severity is considered low (CVSS score 4.3), it could lead to limited unauthorized modifications or changes that should be restricted to higher privilege users.

Mitigation Strategies

The vulnerability affects MetForm Pro Plugin versions up to and including 3.9.1 and allows unprivileged users to perform actions requiring higher privileges due to broken access control.

As of the report date, there is no official patch available for this vulnerability.

  • Update the MetForm Pro plugin to a non-vulnerable version once it becomes available.
  • Seek assistance from your hosting provider or a developer to implement temporary access restrictions or mitigations.
  • Monitor user roles and permissions closely to limit the risk of exploitation.
Compliance Impact

The provided information does not specify how the Broken Access Control vulnerability in MetForm Pro affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability affects the WordPress MetForm Pro Plugin versions up to and including 3.9.1, allowing users with Subscriber roles to perform unauthorized actions due to broken access control.

To detect if your system is vulnerable, first verify the installed version of the MetForm Pro plugin. You can do this by checking the plugin version in the WordPress admin dashboard or by running commands on the server.

  • Check the plugin version via WP-CLI: wp plugin list --status=active | grep metform-pro
  • Alternatively, inspect the plugin's main file for version info: grep 'Version:' wp-content/plugins/metform-pro/metform-pro.php

Since the vulnerability allows Subscribers to perform unauthorized actions, you can also monitor logs or audit user actions for suspicious behavior originating from Subscriber accounts.

No specific exploit detection commands or network signatures are provided in the available resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24610. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart