Scan free
LOWCVE-2026-0633CVSS 3.7

CVE-2026-0633: Sensitive Information Exposure in MetForm

Platform

wordpress

Component

metform

Fixed in

4.1.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2026-0633 describes a sensitive information exposure vulnerability affecting the MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress. An unauthenticated attacker can potentially access form submission data by exploiting a forgeable cookie value. This vulnerability impacts versions 0.0.0 through 4.1.0 of the plugin, and a fix is available in version 4.1.1.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The core of this vulnerability lies in the predictable cookie value used by MetForm to identify form submission entries. Attackers can craft a malicious shortcode that leverages this predictable value, allowing them to bypass authentication and retrieve sensitive data submitted through the form. The data exposed includes form submissions, which could contain personally identifiable information (PII) like names, email addresses, and other custom fields defined within the form. The exposure window is limited to the Transient TTL (default 15 minutes), but during this period, an attacker could potentially harvest a significant amount of data. While the CVSS score is LOW, the potential for PII exposure necessitates prompt remediation.

Exploitation Context

CVE-2026-0633 was published on January 24, 2026. The vulnerability's CVSS score is LOW (3.7), indicating a relatively low probability of exploitation. No public Proof-of-Concept (PoC) code has been identified as of this writing. It is not currently listed on KEV or EPSS, suggesting no immediate widespread exploitation campaigns are known. Refer to the official WordPress security advisory for further details.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.06% (17% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N3.7LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentmetform
Vendorwordfence
Affected rangeFixed in
0 – 4.1.04.1.1

Package Information

Active installs
600KKnown
Plugin rating
4.7
Requires WordPress
5.0+
Compatible up to
7.0
Requires PHP
7.4+
Homepage

Weakness Classification (CWE)

CWE-287

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-0633 is to immediately upgrade the MetForm plugin to version 4.1.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling MetForm shortcodes on publicly accessible pages. While not a complete solution, this will prevent attackers from exploiting the vulnerability through shortcodes. Web Application Firewalls (WAFs) configured to inspect shortcode parameters could potentially detect and block malicious requests attempting to exploit the cookie forging mechanism. Monitor WordPress logs for unusual activity related to MetForm shortcodes, specifically looking for requests with unusual or unexpected parameters.

How to fix

Update to version 4.1.1, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-0633 — Sensitive Information Exposure in MetForm?

CVE-2026-0633 is a LOW severity vulnerability in the MetForm WordPress plugin affecting versions 0.0.0–4.1.0. It allows unauthenticated attackers to access form submission data via forgeable cookies, potentially exposing sensitive information.

Am I affected by CVE-2026-0633 in MetForm?

You are affected if you are using MetForm plugin versions 0.0.0 through 4.1.0. Check your plugin version using wp plugin list and upgrade immediately if vulnerable.

How do I fix CVE-2026-0633 in MetForm?

Upgrade the MetForm plugin to version 4.1.1 or later. If upgrading is not immediately possible, temporarily disable MetForm shortcodes on public pages.

Is CVE-2026-0633 being actively exploited?

As of the current assessment, CVE-2026-0633 is not known to be actively exploited, and no public PoCs are available.

Where can I find the official MetForm advisory for CVE-2026-0633?

Refer to the official WordPress security advisory and the MetForm plugin developer's website for the latest information and updates regarding CVE-2026-0633.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs