Metform Pro
Monthly
Unauthenticated broken access control in WPMET MetForm Pro WordPress plugin versions 3.9.1 and earlier allows remote attackers to access protected functionality without credentials, with CVSS 9.1 reflecting high confidentiality and availability impact. Reported by Patchstack, the flaw stems from missing authorization (CWE-862) on plugin endpoints, and no public exploit identified at time of analysis.
Broken Access Control in MetForm Pro WordPress plugin (versions <= 3.9.1) permits subscriber-level authenticated users to perform actions restricted to higher-privileged roles, resulting in unauthorized low-level integrity modifications. The flaw stems from missing authorization checks (CWE-862) on one or more plugin endpoints or AJAX handlers accessible to the lowest standard WordPress role. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis, but the low attack complexity and network accessibility make this exploitable by any user with a valid WordPress subscriber account on an affected site.
Unauthenticated broken access control in WPMET MetForm Pro WordPress plugin versions 3.9.1 and earlier allows remote attackers to access protected functionality without credentials, with CVSS 9.1 reflecting high confidentiality and availability impact. Reported by Patchstack, the flaw stems from missing authorization (CWE-862) on plugin endpoints, and no public exploit identified at time of analysis.
Broken Access Control in MetForm Pro WordPress plugin (versions <= 3.9.1) permits subscriber-level authenticated users to perform actions restricted to higher-privileged roles, resulting in unauthorized low-level integrity modifications. The flaw stems from missing authorization checks (CWE-862) on one or more plugin endpoints or AJAX handlers accessible to the lowest standard WordPress role. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis, but the low attack complexity and network accessibility make this exploitable by any user with a valid WordPress subscriber account on an affected site.