The MetForm plugin for Elementor is vulnerable because an attacker can forge a cookie value that consists only of the form entry ID and the current user ID, without any server‑side secret. By creating a forged cookie for a short‑lived entry (cached for 15 minutes by default), an unauthenticated user can embed the MetForm shortcode that points to that entry ID and retrieve the entire submission data. The consequence is the exposure of any personal, financial, or otherwise sensitive information that users entered into survey or quiz forms. This flaw is an instance of Improper Authentication, classified as CWE‑287.

All releases of the MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin distributed by roxnor, specifically versions up to and including 4.1.0. The vulnerability is confined to the MetForm plugin itself; other WordPress core components or plugins are not directly affected by this forged cookie mechanism.

With a CVSS score of 3.7, the vulnerability carries moderate severity, and an EPSS score of less than 1% indicates a low probability of current exploitation. It is not listed in the CISA KEV catalog. The attack requires no user authentication; the attacker only needs knowledge or a guess of a valid entry ID and user ID that exist within the transient cache. Because the data is cached only for 15 minutes, the window of opportunity is limited, but during that period an attacker can read the exposed submission data, potentially revealing sensitive information. Due to the narrow exposure window combined with the moderate severity, immediate remediation is advised to prevent data leakage.