プラットフォーム
wordpress
コンポーネント
metform
修正版
4.1.1
CVE-2026-0633 describes a sensitive information exposure vulnerability affecting the MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress. An unauthenticated attacker can potentially access form submission data by exploiting a forgeable cookie value. This vulnerability impacts versions 0.0.0 through 4.1.0 of the plugin, and a fix is available in version 4.1.1.
The core of this vulnerability lies in the predictable cookie value used by MetForm to identify form submission entries. Attackers can craft a malicious shortcode that leverages this predictable value, allowing them to bypass authentication and retrieve sensitive data submitted through the form. The data exposed includes form submissions, which could contain personally identifiable information (PII) like names, email addresses, and other custom fields defined within the form. The exposure window is limited to the Transient TTL (default 15 minutes), but during this period, an attacker could potentially harvest a significant amount of data. While the CVSS score is LOW, the potential for PII exposure necessitates prompt remediation.
CVE-2026-0633 was published on January 24, 2026. The vulnerability's CVSS score is LOW (3.7), indicating a relatively low probability of exploitation. No public Proof-of-Concept (PoC) code has been identified as of this writing. It is not currently listed on KEV or EPSS, suggesting no immediate widespread exploitation campaigns are known. Refer to the official WordPress security advisory for further details.
エクスプロイト状況
EPSS
0.06% (17% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-0633 is to immediately upgrade the MetForm plugin to version 4.1.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling MetForm shortcodes on publicly accessible pages. While not a complete solution, this will prevent attackers from exploiting the vulnerability through shortcodes. Web Application Firewalls (WAFs) configured to inspect shortcode parameters could potentially detect and block malicious requests attempting to exploit the cookie forging mechanism. Monitor WordPress logs for unusual activity related to MetForm shortcodes, specifically looking for requests with unusual or unexpected parameters.
バージョン4.1.1、またはそれ以降の修正されたバージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-0633 is a LOW severity vulnerability in the MetForm WordPress plugin affecting versions 0.0.0–4.1.0. It allows unauthenticated attackers to access form submission data via forgeable cookies, potentially exposing sensitive information.
You are affected if you are using MetForm plugin versions 0.0.0 through 4.1.0. Check your plugin version using wp plugin list and upgrade immediately if vulnerable.
Upgrade the MetForm plugin to version 4.1.1 or later. If upgrading is not immediately possible, temporarily disable MetForm shortcodes on public pages.
As of the current assessment, CVE-2026-0633 is not known to be actively exploited, and no public PoCs are available.
Refer to the official WordPress security advisory and the MetForm plugin developer's website for the latest information and updates regarding CVE-2026-0633.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。