Description
Unauthenticated Broken Access Control in MetForm Pro <= 3.9.1 versions.
Published: 2026-06-17
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MetForm Pro WordPress plugin contains an unauthenticated broken access control flaw. This flaw allows an attacker to perform actions that are normally restricted to authenticated plugin users. Because the access checks are missing or ineffective (CWE‑862), the attacker can bypass normal permissions and potentially alter plugin settings or remove forms. The impact is a compromise of the plugin’s integrity and availability, and, if the plugin is used for sensitive data collection, a possible exposure of that data.

Affected Systems

This vulnerability affects any WordPress site that has the MetForm Pro plugin installed with version 3.9.1 or earlier. It is not limited by the core WordPress version or hosting environment; the flaw resides in the plugin code itself.

Risk and Exploitability

The high CVSS score of 9.1 indicates a very severe risk. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, but the public disclosure and the unauthenticated nature of the flaw mean that exploitation is likely feasible on any site with internet access, especially when standard WordPress admin URLs are exposed. An attacker does not need credentials to attempt the exploit, making it a significant threat for sites using this plugin.

Generated by OpenCVE AI on June 18, 2026 at 14:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MetForm Pro plugin to a version newer than 3.9.1 as soon as the vendor releases a fix.
  • If an upgrade cannot be applied immediately, remove or disable the plugin entirely to eliminate the attack surface until a patch is available.
  • Restrict access to the plugin’s admin URLs using a firewall or access control list so that only trusted users can reach them, mitigating the potential impact of the flaw.

Generated by OpenCVE AI on June 18, 2026 at 14:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmet
Wpmet metform Pro
Vendors & Products Wordpress
Wordpress wordpress
Wpmet
Wpmet metform Pro

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in MetForm Pro <= 3.9.1 versions.
Title WordPress MetForm Pro plugin <= 3.9.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}


Subscriptions

Wordpress Wordpress
Wpmet Metform Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:33:41.834Z

Reserved: 2026-01-23T12:32:24.371Z

Link: CVE-2026-24611

cve-icon Vulnrichment

Updated: 2026-06-17T15:33:35.621Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:45:11Z

Weaknesses