Skip to main content

MetForm Pro EUVDEUVD-2026-37664

| CVE-2026-24610 MEDIUM
Missing Authorization (CWE-862)
2026-06-17 Patchstack
4.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable endpoint requiring only subscriber credentials; integrity-only impact with no confidentiality or availability consequence from a missing authorization check.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:55 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in MetForm Pro <= 3.9.1 versions.

AnalysisAI

Broken Access Control in MetForm Pro WordPress plugin (versions <= 3.9.1) permits subscriber-level authenticated users to perform actions restricted to higher-privileged roles, resulting in unauthorized low-level integrity modifications. The flaw stems from missing authorization checks (CWE-862) on one or more plugin endpoints or AJAX handlers accessible to the lowest standard WordPress role. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis, but the low attack complexity and network accessibility make this exploitable by any user with a valid WordPress subscriber account on an affected site.

Technical ContextAI

MetForm Pro is a premium WordPress form builder plugin developed by wpmet, affected across all versions up to and including 3.9.1 (CPE: cpe:2.3:a:wpmet:metform_pro:*:*:*:*:*:*:*:*). The root cause is CWE-862 (Missing Authorization), a class of vulnerability where server-side code does not verify that the currently authenticated user holds the permissions necessary to execute a given action. In WordPress, subscriber is the lowest privileged authenticated role; correctly implemented capability checks (e.g., current_user_can()) are absent or insufficient on at least one plugin-registered action or REST endpoint, allowing subscribers to reach functionality intended for editors, administrators, or the plugin's own privileged workflows.

RemediationAI

The primary remediation is to update MetForm Pro to a version released after 3.9.1 that addresses this broken access control flaw. Consult the official wpmet plugin repository and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/metform-pro/vulnerability/wordpress-metform-pro-plugin-3-9-1-broken-access-control-vulnerability) for the confirmed patched release version, as the exact fix version was not independently confirmed in the available data - do not rely on a version number not sourced from the vendor or Patchstack. As a compensating control if immediate patching is not feasible, disable open user registration on the WordPress site (Settings > General > uncheck 'Anyone can register') to eliminate the ability for unauthenticated actors to self-provision subscriber accounts; note this may impact legitimate site workflows. Additionally, review and audit which users currently hold subscriber roles and remove any unnecessary accounts. A web application firewall rule scoped to MetForm Pro's AJAX endpoints may reduce exposure but should not be treated as a substitute for patching.

Share

EUVD-2026-37664 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy