ByteOS Network

MetForm Pro

Source -

CNA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-1782

Assigner-Wordfence

View Details

Assigner-Wordfence

CVSS Score-5.3||MEDIUM

EPSS-0.04% / 12.78%

7 Day CHG~0.00%

Published-15 Apr, 2026 | 08:28

Updated-15 Apr, 2026 | 18:07

MetForm Pro <= 3.9.7 - Unauthenticated Payment Amount Manipulation via 'mf-calculation'

The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 3.9.7 This is due to the payment integrations (Stripe/PayPal) trusting a user-submitted calculation field value without recomputing or validating it against the configured form price. This makes it possible for unauthenticated attackers to manipulate the payment amount via the 'mf-calculation' field in the form submission REST request granted there exists a specific form with this particular configuration.

Vendor-Wpmet

Product-MetForm Pro

CWE ID-CWE-20

Improper Input Validation

CVE-2026-1261

Assigner-Wordfence

View Details

Assigner-Wordfence

CVSS Score-7.2||HIGH

EPSS-0.13% / 32.81%

7 Day CHG~0.00%

Published-10 Mar, 2026 | 09:25

Updated-08 Apr, 2026 | 17:30

MetForm Pro <= 3.9.6 - Unauthenticated Stored Cross-Site Scripting

The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Quiz feature in all versions up to, and including, 3.9.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendor-Wpmet

Product-MetForm Pro

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')