External risk intelligence

MetForm Pro Unauthenticated Broken Access Control Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-24611

A critical vulnerability exists in MetForm Pro, a WordPress plugin, allowing unauthenticated attackers to bypass access controls. This could lead to unauthorized access to sensitive data and disruption of service. Confirming its use is essential to understand potential business risk.

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability affects a WordPress plugin, which functions as a web application component. WordPress sites and their associated plugins are commonly deployed as public-facing web services, making the attack surface reachable from the internet by design.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in the MetForm Pro plugin that could allow unauthorized access and system compromise without authentication. The primary concern is to confirm if this plugin is in use and assess potential exposure.

  • Unauthenticated access flaw in a WordPress plugin.
  • Potentially impacts data confidentiality and system availability.
  • Verify usage to understand potential business risk.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by accessing the affected plugin through its network interface without needing any prior authentication. This broken access control allows them to interact with a vulnerable component, potentially leading to significant data compromise and denial of service.

  • No authentication required to start.
  • Access control allows unauthorized interaction.
  • Leads to data exposure and service disruption.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to bypass access controls within MetForm Pro, potentially leading to unauthorized access to sensitive information or disruption of service when the plugin is used.

  • System data could be exposed.
  • Unauthorized access may occur remotely.
  • Service availability could be impacted.

Operational Fix

Recommended remediation, mitigation, and detection steps

This unauthenticated broken access control vulnerability in MetForm Pro affects WordPress plugins, likely managed by application owners or platform teams. The first step is to identify all instances of the plugin, assess their exposure and business criticality, and then coordinate remediation with the accountable owners.

  • Application owners should own the issue.
  • Verify plugin reachability and criticality first.
  • Plan remediation with vendor coordination.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-24611 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This unauthenticated broken access control vulnerability in MetForm Pro allows for full system compromise, which would cause a PCI scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the MetForm Pro plugin?

MetForm Pro is an extension designed for WordPress, the widely used content management system. It functions as a specialized component that adds dynamic forms and data collection capabilities to websites. Because it integrates directly into the WordPress framework, it processes user inputs and manages form data, making it a critical bridge between public visitors and the site's backend database.

What does broken access control mean for CVE-2026-24611?

This vulnerability is classified as CWE-862, which means the software fails to verify if a user has permission to perform a specific action. In this case, the plugin does not enforce checks to confirm a user's identity or authorization level before granting access to its functions. Consequently, an unauthenticated person can interact with sensitive plugin features that were intended to be restricted, potentially bypassing established security boundaries.

How can an attacker trigger this vulnerability?

An attacker can initiate this flaw by sending specifically crafted network requests directly to the affected plugin's interface. Because the vulnerability is unauthenticated, no login credentials, cookies, or prior session interaction are needed to initiate the attack. If the plugin's endpoints are reachable, simply directing traffic to them can trigger the unauthorized behavior; internal administrative actions or specific user sessions are not required to exploit this defect.

Is my site at risk if I use MetForm Pro?

According to Halo Surface Signal, this vulnerability is categorized as having an external attack vector. Since WordPress plugins are typically integrated into web services that are exposed to the public internet by design, the plugin's functionality is often reachable to anyone online. If your instance is accessible via the internet, it should be considered a potential target for unauthorized interaction regardless of its internal configuration.

Do I need to take action if I am running this software?

Yes, you should begin by creating an inventory of all websites where the MetForm Pro plugin is currently installed. Once you have identified these instances, determine the business importance of each site and coordinate with the team responsible for application updates. Prioritize verifying plugin reachability and prepare to apply vendor-provided security patches as soon as they become available to restore proper access control enforcement.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished