CVE-2026-0633 identifies an improper authentication vulnerability (CWE-287) in the MetForm – Contact Form, Survey, Quiz, & Custom Form Builder plugin for Elementor, a popular WordPress plugin used to create interactive forms. The vulnerability exists in all versions up to and including 4.1.0. The root cause is the generation of a cookie value used for authentication that is derived solely from the entry ID and current user ID, without incorporating a server-side secret or cryptographic protection. This design flaw allows an attacker to forge the cookie value, bypassing authentication controls. Consequently, an unauthenticated attacker can access form submission entry data via MetForm shortcodes for entries created within the transient TTL, which defaults to 15 minutes. This means that sensitive information submitted through forms can be exposed temporarily to unauthorized parties. The CVSS v3.1 score is 3.7, reflecting a low severity primarily due to the limited impact on confidentiality, the requirement for high attack complexity, and the lack of impact on integrity or availability. No known exploits have been reported in the wild, indicating limited active exploitation. The vulnerability affects the confidentiality of form submission data but does not compromise the integrity or availability of the system. The attack vector is network-based, requires no privileges or user interaction, but has high complexity due to the need to forge the cookie correctly within the transient window.

For European organizations, the primary impact is the potential exposure of sensitive information submitted via forms built with the MetForm plugin. This could include personal data, survey responses, contact details, or other confidential inputs, leading to privacy violations and potential non-compliance with GDPR regulations. Although the vulnerability is low severity, the exposure of sensitive data can damage organizational reputation and trust, especially for entities handling personal or regulated data. The transient nature of the exposure (15 minutes) limits the window of opportunity but does not eliminate the risk. Organizations relying heavily on WordPress and Elementor with MetForm for customer interactions, lead generation, or internal surveys are at risk. The lack of integrity or availability impact means operational disruption is unlikely, but confidentiality breaches remain a concern. The absence of known exploits reduces immediate risk but does not preclude future exploitation.

To mitigate this vulnerability, organizations should prioritize updating the MetForm plugin to a patched version once released by the vendor. Until an official patch is available, administrators can implement server-side validation to ensure that cookie values incorporate a secret or cryptographic token that cannot be forged by attackers. Restricting access to form entry data via additional authentication layers or IP whitelisting can reduce exposure. Monitoring web server logs for suspicious access patterns to MetForm shortcodes and form entry endpoints can help detect exploitation attempts. Additionally, reducing the transient TTL duration may limit the exposure window. Organizations should also review and limit the amount of sensitive data collected via forms and ensure compliance with data protection policies. Regular security audits of WordPress plugins and adherence to the principle of least privilege for user roles managing forms are recommended.