Description
Subscriber Broken Access Control in MetForm Pro <= 3.9.1 versions.
Published: 2026-06-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a subscriber broken access control flaw in MetForm Pro versions 3.9.1 and earlier. Because the plugin fails to enforce proper authorization checks, an attacker with any level of access can view, create, edit, or delete subscriber data that should be restricted. This flaw is identified as CWE-862, where authorization mechanisms are insufficient, potentially compromising data confidentiality and integrity.

Affected Systems

The affected software is the WordPress plugin MetForm Pro from WPMet, specifically versions up to and including 3.9.1. Site owners who have deployed these versions are at risk until they update to a newer release.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk level, and the EPSS score is not available, suggesting no current public exploitation data. The issue is not listed in the CISA KEV catalog. Exploitation requires only access to the WordPress site where the plugin is installed, and can be performed through the plugin interface or by manipulating form submissions, making it potentially achievable by attackers with basic website access.

Generated by OpenCVE AI on June 18, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MetForm Pro to the latest version (greater than 3.9.1) to apply the vendor-supplied fix.
  • If an immediate upgrade is not possible, temporarily disable or uninstall the MetForm Pro plugin to prevent the vulnerability from being exploitable.
  • Review the plugin’s configuration settings and audit site logs for any unauthorized subscriber activity, and consider tightening access controls on sensitive WordPress pages.

Generated by OpenCVE AI on June 18, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmet
Wpmet metform Pro
Vendors & Products Wordpress
Wordpress wordpress
Wpmet
Wpmet metform Pro
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Broken Access Control in MetForm Pro <= 3.9.1 versions.
Title WordPress MetForm Pro plugin <= 3.9.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Wordpress Wordpress
Wpmet Metform Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:33:26.405Z

Reserved: 2026-01-23T12:32:24.371Z

Link: CVE-2026-24610

cve-icon Vulnrichment

Updated: 2026-06-17T15:33:21.363Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:30:04Z

Weaknesses