PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-24610 WPMet CVE debrief

On June 17, 2026, a medium-severity vulnerability (CVSS score of 4.3) was disclosed in the MetForm Pro plugin, affecting versions up to 3.9.1. This vulnerability allows subscribers to bypass access controls, potentially leading to unauthorized actions. The issue was reported by Patchstack and is tracked as CVE-2026-24610. Users of the affected plugin should take immediate action to mitigate potential risks. The vulnerability was made public on June 17, 2026, and no ransomware campaigns have been linked to this issue. Administrators should prioritize updating to a patched version to prevent exploitation.

Vendor
WPMet
Product
MetForm Pro
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Administrators and security teams responsible for WordPress installations using the MetForm Pro plugin, especially those with subscriber-level users, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The CVE-2026-24610 vulnerability in MetForm Pro plugin versions <= 3.9.1 is a Broken Access Control issue. It allows subscribers to perform unauthorized actions due to inadequate access controls. The vulnerability has a CVSS score of 4.3 and is classified as CWE-862. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating a medium severity level.

Defensive priority

Medium

Recommended defensive actions

  • Update MetForm Pro plugin to a version greater than 3.9.1
  • Review subscriber roles and permissions
  • Monitor plugin usage and logs for suspicious activity
  • Implement additional access controls if updating is not feasible
  • Consider using a Web Application Firewall (WAF) to detect and prevent exploitation attempts
  • Regularly review and update all plugins and themes on the WordPress installation

Evidence notes

The vulnerability was reported by Patchstack (source: [email protected]) and is tracked in the CVE database. The CVE record and NVD details are available for further information. The vulnerability status is currently listed as 'Deferred' in the NVD.

Official resources

public