CVE-2022-1442 is a high-severity vulnerability affecting the Metform Elementor Contact Form Builder WordPress plugin developed by xpeedstudio. The vulnerability arises from improper access control (CWE-862) in the ~/core/forms/action.php file, which allows unauthenticated attackers to access sensitive information. Specifically, the flaw enables attackers to retrieve all API keys and secrets configured for integrated third-party services such as PayPal, Stripe, Mailchimp, Hubspot, HelpScout, and reCAPTCHA. These API keys are critical credentials that facilitate communication between the WordPress site and external services, often granting significant privileges including payment processing, marketing automation, customer support, and spam prevention. The vulnerability affects all versions up to and including 2.1.3 of the plugin. The CVSS 3.1 base score is 7.5, reflecting a high severity due to the vulnerability's network attack vector, no required privileges or user interaction, and the high impact on confidentiality. The vulnerability does not impact integrity or availability directly but compromises confidentiality by exposing sensitive credentials. No known exploits in the wild have been reported, but the ease of exploitation and the critical nature of the exposed data make this a significant threat. The lack of a patch link suggests that users must verify if updates or mitigations have been released by the vendor or consider alternative protective measures.

For European organizations, this vulnerability poses a substantial risk, especially for businesses relying on WordPress websites with the Metform Elementor Contact Form Builder plugin. Exposure of API keys for payment gateways like PayPal and Stripe could lead to fraudulent transactions, financial theft, or unauthorized access to payment processing systems. Similarly, disclosure of API keys for marketing and customer support platforms (Mailchimp, Hubspot, HelpScout) could result in data leakage, phishing campaigns, or unauthorized manipulation of customer data. The reCAPTCHA key exposure could allow attackers to bypass anti-bot protections, facilitating further automated attacks. Given the widespread use of WordPress in Europe across sectors such as e-commerce, finance, healthcare, and public services, the vulnerability could lead to significant data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and financial losses. The fact that exploitation requires no authentication or user interaction increases the risk of automated scanning and mass exploitation attempts targeting vulnerable sites.

European organizations should immediately audit their WordPress installations to identify the presence of the Metform Elementor Contact Form Builder plugin and verify the version in use. If running version 2.1.3 or earlier, they should upgrade to the latest patched version as soon as it becomes available from the vendor. In the absence of an official patch, organizations should consider temporarily disabling or removing the plugin to prevent exploitation. Additionally, organizations must rotate all API keys and secrets associated with the affected plugin integrations, including PayPal, Stripe, Mailchimp, Hubspot, HelpScout, and reCAPTCHA, to invalidate any potentially compromised credentials. Implementing Web Application Firewalls (WAFs) with rules to block unauthorized access to the ~/core/forms/action.php endpoint can provide interim protection. Monitoring web server logs for unusual access patterns targeting this file can help detect exploitation attempts. Organizations should also review and tighten access controls on their WordPress admin and plugin configurations to minimize exposure. Finally, educating web administrators about the risks of using outdated plugins and enforcing strict update policies will reduce future vulnerabilities.