Impact
The vulnerability is a subscriber broken access control flaw in MetForm Pro versions 3.9.1 and earlier. Because the plugin fails to enforce proper authorization checks, an attacker with any level of access can view, create, edit, or delete subscriber data that should be restricted. This flaw is identified as CWE-862, where authorization mechanisms are insufficient, potentially compromising data confidentiality and integrity.
Affected Systems
The affected software is the WordPress plugin MetForm Pro from WPMet, specifically versions up to and including 3.9.1. Site owners who have deployed these versions are at risk until they update to a newer release.
Risk and Exploitability
The CVSS score of 4.3 indicates a moderate risk level, and the EPSS score is not available, suggesting no current public exploitation data. The issue is not listed in the CISA KEV catalog. Exploitation requires only access to the WordPress site where the plugin is installed, and can be performed through the plugin interface or by manipulating form submissions, making it potentially achievable by attackers with basic website access.
OpenCVE Enrichment