CVE-2026-0633 identifies an improper authentication vulnerability (CWE-287) in the MetForm – Contact Form, Survey, Quiz, & Custom Form Builder plugin for Elementor on WordPress. The vulnerability exists because the plugin generates a cookie value used to access form submission entries based only on the entry ID and current user ID, without incorporating a server-side secret or cryptographic protection. This design flaw allows an attacker who can guess or enumerate valid entry and user IDs to forge the cookie and retrieve sensitive form submission data via MetForm shortcodes. The exposure window is limited to the transient TTL, which defaults to 15 minutes, restricting the timeframe during which the data can be accessed. The vulnerability affects all versions up to and including 4.1.0. The CVSS v3.1 score is 3.7, reflecting low severity due to network attack vector, high attack complexity, no privileges required, no user interaction, and limited confidentiality impact. No known exploits have been reported in the wild as of the publication date. The flaw primarily compromises confidentiality of form data but does not affect data integrity or availability. This vulnerability is particularly relevant for organizations that rely on MetForm for collecting sensitive user input, such as contact forms, surveys, or quizzes, especially if the data includes personal or confidential information.

The primary impact of CVE-2026-0633 is the unauthorized disclosure of sensitive information submitted through forms built with the MetForm plugin. Attackers can potentially access personal data, survey responses, or other confidential inputs within a short 15-minute window after submission. While the vulnerability does not affect data integrity or system availability, the exposure of sensitive data can lead to privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential targeted phishing or social engineering attacks. Organizations with high volumes of sensitive form submissions are at greater risk. The limited attack complexity and lack of authentication requirements increase the risk of opportunistic attacks, especially in environments where entry and user IDs can be enumerated or predicted. However, the transient nature of the vulnerability and absence of known exploits reduce the immediate threat level.

To mitigate CVE-2026-0633, organizations should: 1) Upgrade the MetForm plugin to a version that addresses this vulnerability once a patch is released by the vendor. 2) Until a patch is available, restrict access to form submission data by implementing server-side access controls that validate user permissions beyond cookie values. 3) Employ web application firewalls (WAFs) to detect and block suspicious requests attempting to enumerate entry or user IDs. 4) Monitor logs for unusual access patterns to form submission endpoints or shortcodes. 5) Limit the retention time of transient data to less than the default 15 minutes if configurable. 6) Educate developers and administrators about secure cookie handling and the importance of incorporating server-side secrets or cryptographic tokens to prevent forgery. 7) Consider disabling or restricting the use of MetForm shortcodes that expose entry data in environments with high sensitivity until the vulnerability is resolved.