MetForm – 联系表单、调查问卷、测验和自定义表单构建器 for Elementor <= 4.1.0 - 通过伪造的 Cookie 值暴露未经验证的表单提交
平台
wordpress
组件
metform
修复版本
4.1.1
CVE-2026-0633 describes a sensitive information exposure vulnerability affecting the MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress. An unauthenticated attacker can potentially access form submission data by exploiting a forgeable cookie value. This vulnerability impacts versions 0.0.0 through 4.1.0 of the plugin, and a fix is available in version 4.1.1.
检测此 CVE 是否影响你的项目
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
影响与攻击场景翻译中…
The core of this vulnerability lies in the predictable cookie value used by MetForm to identify form submission entries. Attackers can craft a malicious shortcode that leverages this predictable value, allowing them to bypass authentication and retrieve sensitive data submitted through the form. The data exposed includes form submissions, which could contain personally identifiable information (PII) like names, email addresses, and other custom fields defined within the form. The exposure window is limited to the Transient TTL (default 15 minutes), but during this period, an attacker could potentially harvest a significant amount of data. While the CVSS score is LOW, the potential for PII exposure necessitates prompt remediation.
利用背景翻译中…
CVE-2026-0633 was published on January 24, 2026. The vulnerability's CVSS score is LOW (3.7), indicating a relatively low probability of exploitation. No public Proof-of-Concept (PoC) code has been identified as of this writing. It is not currently listed on KEV or EPSS, suggesting no immediate widespread exploitation campaigns are known. Refer to the official WordPress security advisory for further details.
威胁情报
漏洞利用状态
EPSS
0.06% (17% 百分位)
CISA SSVC
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 高 — 需要竞态条件、非默认配置或特定情况。难以可靠利用。
- Privileges Required
- 无 — 无需认证,无需凭证即可利用。
- User Interaction
- 无 — 攻击自动且无声,受害者无需任何操作。
- Scope
- 未改变 — 影响仅限于脆弱组件本身。
- Confidentiality
- 低 — 可访问部分数据。
- Integrity
- 无 — 无完整性影响。
- Availability
- 无 — 无可用性影响。
受影响的软件
软件包信息
- 活跃安装数
- 600K已知
- 插件评分
- 4.7
- 需要WordPress版本
- 5.0+
- 兼容至
- 7.0
- 需要PHP版本
- 7.4+
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2026-0633 is to immediately upgrade the MetForm plugin to version 4.1.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling MetForm shortcodes on publicly accessible pages. While not a complete solution, this will prevent attackers from exploiting the vulnerability through shortcodes. Web Application Firewalls (WAFs) configured to inspect shortcode parameters could potentially detect and block malicious requests attempting to exploit the cookie forging mechanism. Monitor WordPress logs for unusual activity related to MetForm shortcodes, specifically looking for requests with unusual or unexpected parameters.
修复方法
更新到 4.1.1 版本,或更新的修复版本
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2026-0633 — Sensitive Information Exposure in MetForm?
CVE-2026-0633 is a LOW severity vulnerability in the MetForm WordPress plugin affecting versions 0.0.0–4.1.0. It allows unauthenticated attackers to access form submission data via forgeable cookies, potentially exposing sensitive information.
Am I affected by CVE-2026-0633 in MetForm?
You are affected if you are using MetForm plugin versions 0.0.0 through 4.1.0. Check your plugin version using wp plugin list and upgrade immediately if vulnerable.
How do I fix CVE-2026-0633 in MetForm?
Upgrade the MetForm plugin to version 4.1.1 or later. If upgrading is not immediately possible, temporarily disable MetForm shortcodes on public pages.
Is CVE-2026-0633 being actively exploited?
As of the current assessment, CVE-2026-0633 is not known to be actively exploited, and no public PoCs are available.
Where can I find the official MetForm advisory for CVE-2026-0633?
Refer to the official WordPress security advisory and the MetForm plugin developer's website for the latest information and updates regarding CVE-2026-0633.