Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Plugin endpoint is network-reachable with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); broken access control on form data yields C:H and A:H, with I:N retained per vendor scoring.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in MetForm Pro <= 3.9.1 versions.
AnalysisAI
Unauthenticated broken access control in WPMET MetForm Pro WordPress plugin versions 3.9.1 and earlier allows remote attackers to access protected functionality without credentials, with CVSS 9.1 reflecting high confidentiality and availability impact. Reported by Patchstack, the flaw stems from missing authorization (CWE-862) on plugin endpoints, and no public exploit identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Required conditions: the target WordPress site must have the MetForm Pro plugin installed and activated at version 3.9.1 or earlier, and the vulnerable plugin endpoint(s) must be reachable over HTTP/HTTPS from the attacker (default WordPress deployments expose /wp-json and /wp-admin/admin-ajax.php to the internet). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed: the CVSS 9.1 vector (AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:H) describes remote, unauthenticated, low-complexity exploitation with high confidentiality and availability impact and no integrity impact, which is consistent with leaking submitted form data and/or causing denial of service on the plugin's backend, but the published description is a single line and does not name the specific vulnerable endpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker enumerates WordPress sites running MetForm Pro <= 3.9.1, then sends crafted HTTP requests directly to the plugin's exposed REST or admin-ajax endpoints that lack authorization checks. Because the action runs without verifying capability, the attacker retrieves sensitive form submission data or triggers a backend operation that disrupts availability of the form/site, all without credentials and at low complexity per the CVSS vector. |
| Remediation | Patch status from the available data is ambiguous - the Patchstack record covers '<= 3.9.1', which typically implies a fixed version above 3.9.1, but no exact fix version is provided in this input, so treat this as 'Patch available per vendor advisory' and confirm the exact fixed release at https://patchstack.com/database/wordpress/plugin/metform-pro/vulnerability/wordpress-metform-pro-plugin-3-9-1-broken-access-control-vulnerability-2 before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress installations running MetForm Pro and document affected version numbers; temporarily disable the plugin on non-critical systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Metform Pro
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37665