Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network-reachable endpoint requiring only subscriber credentials; integrity-only impact with no confidentiality or availability consequence from a missing authorization check.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Access Control in MetForm Pro <= 3.9.1 versions.
AnalysisAI
Broken Access Control in MetForm Pro WordPress plugin (versions <= 3.9.1) permits subscriber-level authenticated users to perform actions restricted to higher-privileged roles, resulting in unauthorized low-level integrity modifications. The flaw stems from missing authorization checks (CWE-862) on one or more plugin endpoints or AJAX handlers accessible to the lowest standard WordPress role. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis, but the low attack complexity and network accessibility make this exploitable by any user with a valid WordPress subscriber account on an affected site.
Technical ContextAI
MetForm Pro is a premium WordPress form builder plugin developed by wpmet, affected across all versions up to and including 3.9.1 (CPE: cpe:2.3:a:wpmet:metform_pro:*:*:*:*:*:*:*:*). The root cause is CWE-862 (Missing Authorization), a class of vulnerability where server-side code does not verify that the currently authenticated user holds the permissions necessary to execute a given action. In WordPress, subscriber is the lowest privileged authenticated role; correctly implemented capability checks (e.g., current_user_can()) are absent or insufficient on at least one plugin-registered action or REST endpoint, allowing subscribers to reach functionality intended for editors, administrators, or the plugin's own privileged workflows.
RemediationAI
The primary remediation is to update MetForm Pro to a version released after 3.9.1 that addresses this broken access control flaw. Consult the official wpmet plugin repository and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/metform-pro/vulnerability/wordpress-metform-pro-plugin-3-9-1-broken-access-control-vulnerability) for the confirmed patched release version, as the exact fix version was not independently confirmed in the available data - do not rely on a version number not sourced from the vendor or Patchstack. As a compensating control if immediate patching is not feasible, disable open user registration on the WordPress site (Settings > General > uncheck 'Anyone can register') to eliminate the ability for unauthenticated actors to self-provision subscriber accounts; note this may impact legitimate site workflows. Additionally, review and audit which users currently hold subscriber roles and remove any unnecessary accounts. A web application firewall rule scoped to MetForm Pro's AJAX endpoints may reduce exposure but should not be treated as a substitute for patching.
More in Metform Pro
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37664