CVE-2026-0633

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without...

CVE-2026-0633 MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor <= 4.1.0 - Unauthenticated Form Submission Exposure via Forgeable Cookie Value

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without...

CVE-2026-0633

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without...

PT-2026-4593

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without...

EUVD-2025-23038

Malicious code in bioql PyPI...

CVE-2025-5684 MetForm <= 4.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via `mf-template` DOM Element

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the mf-template DOM Element in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it...

CVE-2025-5684

CVE-2025-5684 : MetForm – WordPress plugin vulnerable to Stored Cross-Site Scripting via the mf-template DOM element in all versions up to and including 4.0.1. An authenticated attacker with Contributor-level access or higher can inject scripts executed by users on injected pages. Public sources ...

PT-2025-31262 · Elementor +1 · Elementor +1

Name of the Vulnerable Software and Affected Versions: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress versions up to and including 4.0.1 Description: The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress ...

CVE-2024-4266

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.8.8 via the 'handlefile' function. This can allow unauthenticated attackers to extract sensitive data, such as...

CVE-2023-0721

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to CSV injection in versions up to, and including, 3.3.0. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and...

CVE-2023-0694

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about any standard form...

CVE-2023-0692

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mfpaymentstatus' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the...

CVE-2023-1843

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized permalink structure update due to a missing capability check on the permalinksetup function in versions up to, and including, 3.3.0. This makes it possible for unauthenticated attackers to change the...

CVE-2023-0691

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mflastname' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary...

CVE-2023-0689

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mffirstname' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrar...

CVE-2023-0710

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'fname' attribute of the 'mfthankyou' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level...

WordPress Metform Elementor Contact Form Builder plugin <= 3.2.4 - Unauthenticated Double-Extension Arbitrary File Upload vulnerability

Unauthenticated Double-Extension Arbitrary File Upload vulnerability discovered by Ram in WordPress Plugin Metform versions = 3.2.4...

WordPress Metform Elementor Contact Form Builder Plugin <= 3.2.4 is vulnerable to Arbitrary File Upload

Software Metform Elementor Contact Form Builder Type Plugin Vulnerable versions = 3.2.4 Fixed in 3.3.0 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2023-0714 Patch priority High CVSS severity High 9 Developer Wpmet PSID a1d516cfa020 Credits Ram Required privilege...

CVE-2024-4266

CVE-2024-4266 concerns the MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress. The vulnerability is an unauthenticated sensitive information exposure via handle_file in MetForm versions

CVE-2024-4266 MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor <= 3.8.8 - Unauthenticated Sensitive Information Exposure

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.8.8 via the 'handlefile' function. This can allow unauthenticated attackers to extract sensitive data, such as...