MetForm < 4.1.1 – Unauthenticated Form Submission Exposure via Forgeable Cookie Value | CVE 2026-0633 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Sensitive Information Exposure due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minutes).

Affects Plugins

Fixed in 4.1.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d72cc420-1ff5-403b-b4ea-7c820fdebcf3

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

type5afe

Verified

No

WPVDB ID

3f2e37cd-4382-4f06-aadb-34883573dff6

Timeline

Publicly Published

2026-01-23 (about 3 months ago)

Added

2026-01-23 (about 3 months ago)

Last Updated

2026-01-23 (about 3 months ago)

Other

Published

Title

Published

2025-07-21

Title

WooCommerce < 10.0 - Shop Manager PII Leak in Multisite

Published

2024-07-09

Title

WP2Speed Faster – Optimize PageSpeed Insights Score 90-100 <= 1.0.1 - Unauthenticated Information Exposure

Published

2026-01-21

Title

Salon booking system < 10.30.4 - Authenticated (Subscriber+) Information Exposure

Published

2025-09-22

Title

Estonian Shipping Methods for WooCommerce <= 1.7.2 - Unauthenticated Sensitive Information Exposure

Published

2021-09-09

Title

WordPress 5.4 to 5.8 - Data Exposure via REST API