Impact
The MetForm Pro WordPress plugin contains an unauthenticated broken access control flaw. This flaw allows an attacker to perform actions that are normally restricted to authenticated plugin users. Because the access checks are missing or ineffective (CWE‑862), the attacker can bypass normal permissions and potentially alter plugin settings or remove forms. The impact is a compromise of the plugin’s integrity and availability, and, if the plugin is used for sensitive data collection, a possible exposure of that data.
Affected Systems
This vulnerability affects any WordPress site that has the MetForm Pro plugin installed with version 3.9.1 or earlier. It is not limited by the core WordPress version or hosting environment; the flaw resides in the plugin code itself.
Risk and Exploitability
The high CVSS score of 9.1 indicates a very severe risk. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, but the public disclosure and the unauthenticated nature of the flaw mean that exploitation is likely feasible on any site with internet access, especially when standard WordPress admin URLs are exposed. An attacker does not need credentials to attempt the exploit, making it a significant threat for sites using this plugin.
OpenCVE Enrichment