CVE-2026-0633

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minutes).

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/3438419/metform
https://www.wordfence.com/threat-intel/vulnerabilities/id/d72cc420-1ff5-403b-b4ea-7c820fdebcf3?source=cve

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) El plugin MetForm – Contact Form, Survey, Quiz, & Custom Form Builder para Elementor para WordPress es vulnerable a la Exposición de Información Sensible en versiones hasta la 4.1.0, inclusive. Esto se debe al uso de un valor de cookie falsificable derivado únicamente del ID de entrada y del ID de usuario actual sin un secreto del lado del servidor. Esto hace posible que atacantes no autenticados accedan a los datos de entrada de envío de formularios a través de los shortcodes de MetForm para entradas creadas dentro del TTL transitorio (el valor predeterminado es 15 minutos).

24 Jan 2026, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-24 09:15

Updated : 2026-06-17 10:11

NVD link : CVE-2026-0633

Mitre link : CVE-2026-0633

CVE.ORG link : CVE-2026-0633

JSON object : View

Products Affected

No product.

CWE

CWE-287

Improper Authentication

{"id": "CVE-2026-0633", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-0633", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T17:47:49.095336Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "affected": [{"source": "security@wordfence.com", "affectedData": [{"vendor": "roxnor", "product": "MetForm \u2013 Contact Form, Survey, Quiz, & Custom Form Builder for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.1.0"}], "defaultStatus": "unaffected"}]}], "published": "2026-01-24T09:15:52.843", "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3438419/metform", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d72cc420-1ff5-403b-b4ea-7c820fdebcf3?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "The MetForm \u2013 Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minutes)."}, {"lang": "es", "value": "El plugin MetForm \u2013 Contact Form, Survey, Quiz, & Custom Form Builder para Elementor para WordPress es vulnerable a la Exposici\u00f3n de Informaci\u00f3n Sensible en versiones hasta la 4.1.0, inclusive. Esto se debe al uso de un valor de cookie falsificable derivado \u00fanicamente del ID de entrada y del ID de usuario actual sin un secreto del lado del servidor. Esto hace posible que atacantes no autenticados accedan a los datos de entrada de env\u00edo de formularios a trav\u00e9s de los shortcodes de MetForm para entradas creadas dentro del TTL transitorio (el valor predeterminado es 15 minutos)."}], "lastModified": "2026-06-17T10:11:07.157", "sourceIdentifier": "security@wordfence.com"}