cleantalk
Vulnerabilities and Security Researches

Metform Elementor Contact Form Builder, CVE-2026-0633

CVE, Research URL

CVE-2026-0633

Home page URL

Security reports for Metform Elementor Contact Form Builder

Application

Metform Elementor Contact Form Builder

Published on
Jan 24, 2026
Research Description
The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minutes).
Affected versions
max 4.1.1.
Status
vulnerable
Previous vulnerability researches
Metform Elementor Contact Form Builder (CVE-2026-0633) , Apr 13, 2026
Metform Elementor Contact Form Builder (CVE-2025-30914) , Apr 01, 2025
Metform Elementor Contact Form Builder (CVE-2023-50903) , Jun 10, 2024
Metform Elementor Contact Form Builder (CVE-2024-4266) , Jun 14, 2024
Metform Elementor Contact Form Builder , Mar 30, 2026
New vulnerability
Booking Package (CVE-2026-4911) , Apr 29, 2026
Templately – Gutenberg & Elementor Template Library: 5000+ Free & Pro Ready Templates & Cloud! (CVE-2026-42379) , Apr 28, 2026
WPIDE – File Manager & Code Editor , Apr 28, 2026
UiCore Animate , Apr 28, 2026
WP Booking Calendar , Apr 28, 2026