Primary

Context

MetForm WordPress Plugin Sensitive Information Exposure Vulnerability

Vulnerability

A vulnerability allowing sensitive information exposure has been identified in the MetForm WordPress plugin, specifically in versions through 4.1.0. The issue arises from the use of a forgeable cookie value that relies solely on the entry ID and current user ID, without a server-side secret. This vulnerability enables unauthenticated attackers to access form submission data via MetForm shortcodes, for entries created within the default transient time-to-live of 15 minutes.

Impact

Exploitation of this vulnerability allows unauthenticated users to access sensitive form submission data from entries created within the last 15 minutes.

Remediation

Users can update to MetForm version 4.1.1 or a newer patched version to address this vulnerability.

Added: Jan 24, 2026, 9:29 AM

Updated: Jan 24, 2026, 9:29 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.7

remediation

0.0

relevance

2.3

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.7

remediation

0.0

relevance

2.3

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MetForm WordPress Plugin Sensitive Information Exposure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating