Description
Server-Side Request Forgery (SSRF) vulnerability in Roxnor Metform metform allows Server Side Request Forgery.This issue affects Metform: from n/a through <= 3.9.2.
Published: 2025-03-27
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Metform plugin contains a Server‑Side Request Forgery flaw that allows an attacker to force the WordPress host to request arbitrary URLs. By exploiting this flaw, an attacker could communicate with internal services, exfiltrate data, or use the infected host as a pivot to access other resources. The weakness is classified as CWE‑918.

Affected Systems

Any WordPress site that has Roxnor Metform installed and runs a version up to and including 3.9.2 is affected. Versions newer than 3.9.2 are considered fixed.

Risk and Exploitability

The CVSS rating of 4.4 indicates moderate severity, while the EPSS score of <1% signals a low current exploitation probability and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through a publicly accessible form that accepts a URL parameter; the plugin processes that URL without validation, allowing an attacker to force outbound requests to internal addresses or external services.

Generated by OpenCVE AI on May 1, 2026 at 03:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Metform to version 3.9.3 or later
  • Configure WordPress or a third‑party plugin to restrict outbound HTTP requests from Metform to a whitelist of approved hosts
  • Validate and whitelist any form fields that accept URLs to prevent arbitrary address resolution and subsequent requests

Generated by OpenCVE AI on May 1, 2026 at 03:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8309 Server-Side Request Forgery (SSRF) vulnerability in XpeedStudio Metform allows Server Side Request Forgery. This issue affects Metform: from n/a through 3.9.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in XpeedStudio Metform allows Server Side Request Forgery. This issue affects Metform: from n/a through 3.9.2. Server-Side Request Forgery (SSRF) vulnerability in Roxnor Metform metform allows Server Side Request Forgery.This issue affects Metform: from n/a through <= 3.9.2.
Title WordPress Metform Elementor Contact Form Builder plugin <= 3.9.2 - Server Side Request Forgery (SSRF) vulnerability WordPress Metform Elementor Contact Form Builder plugin <= 3.9.7 - Server Side Request Forgery (SSRF) vulnerability
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Thu, 27 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in XpeedStudio Metform allows Server Side Request Forgery. This issue affects Metform: from n/a through 3.9.2.
Title WordPress Metform Elementor Contact Form Builder plugin <= 3.9.2 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:00.361Z

Reserved: 2025-03-26T09:21:45.625Z

Link: CVE-2025-30914

cve-icon Vulnrichment

Updated: 2025-03-27T14:24:36.332Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:52.130

Modified: 2026-04-23T15:27:19.050

Link: CVE-2025-30914

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T03:45:07Z

Weaknesses