Description
The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Quiz feature in all versions up to, and including, 3.9.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-10
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (unauthenticated script injection that persists in pages)
Action: Patch immediately
AI Analysis

Impact

The vulnerability is a stored XSS flaw in the Quiz feature of MetForm Pro. Unsanitized input is saved and later rendered without proper escaping, allowing an attacker to inject arbitrary JavaScript. The injected script runs whenever a victim visits an affected page, potentially enabling cookie theft, session hijacking, defacement, or other malicious actions. The weakness is classified as CWE‑79, affecting confidentiality, integrity, and availability of the site.

Affected Systems

All releases of the MetForm Pro WordPress plugin up to and including version 3.9.6, distributed by wpmet.

Risk and Exploitability

The CVSS score of 7.2 indicates moderate severity, while the EPSS score of less than 1 % shows a very low probability of current exploitation. The vulnerability is not listed by CISA as a Known Exploited Vulnerability. Attackers can exploit the flaw without authentication by submitting forged quiz data; the stored payload is executed on subsequent page loads, demonstrating the potential for widespread impact if the plugin is active on a site.

Generated by OpenCVE AI on April 15, 2026 at 16:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MetForm Pro to a version newer than 3.9.6 if one is available from wpmet.
  • If an up‑to‑date version cannot be applied, disable or remove the Quiz feature or the entire MetForm Pro plugin from the WordPress installation.
  • Deploy a web application firewall or security plugin that blocks common XSS payloads and enforces a strict Content Security Policy to reduce the risk of injected scripts executing.

Generated by OpenCVE AI on April 15, 2026 at 16:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmet
Wpmet metform Pro
Vendors & Products Wordpress
Wordpress wordpress
Wpmet
Wpmet metform Pro

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Quiz feature in all versions up to, and including, 3.9.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title MetForm Pro <= 3.9.6 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpmet Metform Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:08.199Z

Reserved: 2026-01-20T20:49:36.993Z

Link: CVE-2026-1261

cve-icon Vulnrichment

Updated: 2026-03-10T15:57:56.418Z

cve-icon NVD

Status : Deferred

Published: 2026-03-10T18:18:04.723

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-1261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses