CVE-2026-0633

Name of the Vulnerable Software and Affected Versions MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress versions up to and including 4.1.0

Description The software contains a flaw due to the use of a forgeable cookie value derived from the entry ID and current user ID without a server-side secret. This allows unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL, which defaults to 15 minutes.

Recommendations Update to a version beyond 4.1.0.