Platform
wordpress
Component
metform
Fixed in
4.1.1
CVE-2026-0633 describes a sensitive information exposure vulnerability affecting the MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress. An unauthenticated attacker can potentially access form submission data by exploiting a forgeable cookie value. This vulnerability impacts versions 0.0.0 through 4.1.0 of the plugin, and a fix is available in version 4.1.1.
The core of this vulnerability lies in the predictable cookie value used by MetForm to identify form submission entries. Attackers can craft a malicious shortcode that leverages this predictable value, allowing them to bypass authentication and retrieve sensitive data submitted through the form. The data exposed includes form submissions, which could contain personally identifiable information (PII) like names, email addresses, and other custom fields defined within the form. The exposure window is limited to the Transient TTL (default 15 minutes), but during this period, an attacker could potentially harvest a significant amount of data. While the CVSS score is LOW, the potential for PII exposure necessitates prompt remediation.
CVE-2026-0633 was published on January 24, 2026. The vulnerability's CVSS score is LOW (3.7), indicating a relatively low probability of exploitation. No public Proof-of-Concept (PoC) code has been identified as of this writing. It is not currently listed on KEV or EPSS, suggesting no immediate widespread exploitation campaigns are known. Refer to the official WordPress security advisory for further details.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-0633 is to immediately upgrade the MetForm plugin to version 4.1.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling MetForm shortcodes on publicly accessible pages. While not a complete solution, this will prevent attackers from exploiting the vulnerability through shortcodes. Web Application Firewalls (WAFs) configured to inspect shortcode parameters could potentially detect and block malicious requests attempting to exploit the cookie forging mechanism. Monitor WordPress logs for unusual activity related to MetForm shortcodes, specifically looking for requests with unusual or unexpected parameters.
Update to version 4.1.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0633 is a LOW severity vulnerability in the MetForm WordPress plugin affecting versions 0.0.0–4.1.0. It allows unauthenticated attackers to access form submission data via forgeable cookies, potentially exposing sensitive information.
You are affected if you are using MetForm plugin versions 0.0.0 through 4.1.0. Check your plugin version using wp plugin list and upgrade immediately if vulnerable.
Upgrade the MetForm plugin to version 4.1.1 or later. If upgrading is not immediately possible, temporarily disable MetForm shortcodes on public pages.
As of the current assessment, CVE-2026-0633 is not known to be actively exploited, and no public PoCs are available.
Refer to the official WordPress security advisory and the MetForm plugin developer's website for the latest information and updates regarding CVE-2026-0633.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.