Metform WordPress Plugin Sensitive Information Disclosure Vulnerability

A vulnerability allowing sensitive information disclosure has been identified in the Metform WordPress plugin, specifically in versions through 2.1.3. The issue arises from improper access control in the 'action.php' file, located within the 'core/forms' directory. This vulnerability can be exploited by unauthenticated attackers to access and view all API keys and secrets associated with various integrated third-party services, including PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA, and others.

Impact

Exploitation of this vulnerability allows unauthenticated users to access sensitive information, specifically API keys and secrets from various third-party integrations, which could be misused to access those services or perform actions on behalf of the user.

Reproduction

To reproduce this vulnerability, send a GET request to the '/wp-json/metform/v1/forms/templates/0' endpoint. This request will return a list of all form IDs and their titles. After identifying a form ID, send another GET request to the '/wp-json/metform/v1/forms/get/{form_id_here}' endpoint, replacing '{form_id_here}' with the numeric form ID obtained from the previous step. This request will disclose all the sensitive information, including API keys and secrets from integrated third-party services.

Remediation

Users are advised to update the Metform WordPress plugin to version 2.1.4 or later.