Skip to main content

MetForm Pro CVE-2026-24610

| EUVDEUVD-2026-37664 MEDIUM
Missing Authorization (CWE-862)
2026-06-17 Patchstack
4.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable endpoint requiring only subscriber credentials; integrity-only impact with no confidentiality or availability consequence from a missing authorization check.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:55 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in MetForm Pro <= 3.9.1 versions.

AnalysisAI

Broken Access Control in MetForm Pro WordPress plugin (versions <= 3.9.1) permits subscriber-level authenticated users to perform actions restricted to higher-privileged roles, resulting in unauthorized low-level integrity modifications. The flaw stems from missing authorization checks (CWE-862) on one or more plugin endpoints or AJAX handlers accessible to the lowest standard WordPress role. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain subscriber credentials
Delivery
Authenticate to WordPress site
Exploit
Send crafted request to unprotected MetForm Pro endpoint
Execution
Bypass role capability check
Impact
Perform unauthorized integrity-affecting action

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold an active subscriber-level (or higher) WordPress account on the target installation - this is the minimum authenticated role in WordPress (PR:L as reflected in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N accurately reflects the constrained impact profile: network exploitability at low complexity is partially offset by the mandatory subscriber-level account requirement (PR:L) and the limited integrity-only impact with no confidentiality or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running MetForm Pro <= 3.9.1 (or uses compromised credentials). The attacker then sends a crafted authenticated request - such as an AJAX call or REST API request - to a MetForm Pro endpoint that lacks proper capability checks, successfully invoking an action reserved for higher-privileged roles and modifying plugin-managed data or form configurations. …
Remediation The primary remediation is to update MetForm Pro to a version released after 3.9.1 that addresses this broken access control flaw. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-24610 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy