Skip to main content

MetForm Pro CVE-2026-24611

| EUVDEUVD-2026-37665 CRITICAL
Missing Authorization (CWE-862)
2026-06-17 Patchstack
9.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
9.1 CRITICAL

Plugin endpoint is network-reachable with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); broken access control on form data yields C:H and A:H, with I:N retained per vendor scoring.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:28 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in MetForm Pro <= 3.9.1 versions.

AnalysisAI

Unauthenticated broken access control in WPMET MetForm Pro WordPress plugin versions 3.9.1 and earlier allows remote attackers to access protected functionality without credentials, with CVSS 9.1 reflecting high confidentiality and availability impact. Reported by Patchstack, the flaw stems from missing authorization (CWE-862) on plugin endpoints, and no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running MetForm Pro ≤3.9.1
Delivery
Locate unauthenticated plugin endpoint
Exploit
Send crafted HTTP request bypassing authorization
Execution
Retrieve form data or disrupt service
Impact
Confidentiality and availability impact

Vulnerability AssessmentAI

Exploitation Required conditions: the target WordPress site must have the MetForm Pro plugin installed and activated at version 3.9.1 or earlier, and the vulnerable plugin endpoint(s) must be reachable over HTTP/HTTPS from the attacker (default WordPress deployments expose /wp-json and /wp-admin/admin-ajax.php to the internet). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed: the CVSS 9.1 vector (AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:H) describes remote, unauthenticated, low-complexity exploitation with high confidentiality and availability impact and no integrity impact, which is consistent with leaking submitted form data and/or causing denial of service on the plugin's backend, but the published description is a single line and does not name the specific vulnerable endpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker enumerates WordPress sites running MetForm Pro <= 3.9.1, then sends crafted HTTP requests directly to the plugin's exposed REST or admin-ajax endpoints that lack authorization checks. Because the action runs without verifying capability, the attacker retrieves sensitive form submission data or triggers a backend operation that disrupts availability of the form/site, all without credentials and at low complexity per the CVSS vector.
Remediation Patch status from the available data is ambiguous - the Patchstack record covers '<= 3.9.1', which typically implies a fixed version above 3.9.1, but no exact fix version is provided in this input, so treat this as 'Patch available per vendor advisory' and confirm the exact fixed release at https://patchstack.com/database/wordpress/plugin/metform-pro/vulnerability/wordpress-metform-pro-plugin-3-9-1-broken-access-control-vulnerability-2 before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress installations running MetForm Pro and document affected version numbers; temporarily disable the plugin on non-critical systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-24611 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy