CVE-2026-24611 WPMet CVE debrief

Who should care

WordPress users who have installed the MetForm Pro plugin, especially those using versions up to and including 3.9.1, should be aware of this critical vulnerability. Additionally, administrators and security teams responsible for maintaining WordPress installations should prioritize updating the plugin to prevent potential exploitation.

Technical summary

The CVE-2026-24611 vulnerability is caused by unauthenticated broken access control in the MetForm Pro plugin. This could allow an attacker to access sensitive information or perform unauthorized actions without proper authentication. The vulnerability has a CVSS score of 9.1, indicating a high severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, indicating that the vulnerability can be exploited over the network with low attack complexity and no privileges required.

Defensive priority

high

Recommended defensive actions

• Update the MetForm Pro plugin to a patched version (if available) as soon as possible.
• Restrict access to sensitive areas of the WordPress installation.
• Monitor WordPress installation logs for suspicious activity.
• Implement additional security measures, such as two-factor authentication.
• Regularly review and update installed plugins and themes.
• Consider using a web application firewall (WAF) to detect and prevent attacks.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and Patchstack. The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information is available at [ref-4].

Official resources