CVE-2022-1442
📋 TL;DR
The Metform WordPress plugin has an access control vulnerability that allows unauthenticated attackers to retrieve all third-party API keys and secrets stored by the plugin. This affects WordPress sites using Metform versions up to 2.1.3. Attackers can steal sensitive credentials for services like PayPal, Stripe, and Mailchimp without authentication.
💻 Affected Systems
- Metform WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all integrated third-party services, financial fraud via stolen payment API keys, unauthorized access to email marketing platforms, and potential data breaches through other connected services.
Likely Case
Unauthorized access to third-party services using stolen API keys, potential financial loss from payment system abuse, and compromise of email/marketing platforms.
If Mitigated
Limited impact if API keys are regularly rotated and monitored, though initial exposure still occurs.
🎯 Exploit Status
Simple HTTP request to vulnerable endpoint with no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.4 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2711944/metform/trunk/core/forms/action.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Metform and click 'Update Now'. 4. Verify version is 2.1.4 or higher.
🔧 Temporary Workarounds
Disable Metform Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate metform
Restrict Access to action.php
linuxBlock direct access to the vulnerable file via web server configuration
# Apache: <Files "action.php"> Require all denied </Files>
# Nginx: location ~ /action\.php$ { deny all; }
🧯 If You Can't Patch
- Rotate all API keys for integrated services (PayPal, Stripe, Mailchimp, etc.) immediately
- Implement WAF rules to block requests to /wp-content/plugins/metform/core/forms/action.php
🔍 How to Verify
Check if Vulnerable:
Check if accessing https://yoursite.com/wp-content/plugins/metform/core/forms/action.php returns API key data without authenticationCheck Version:
wp plugin get metform --field=versionVerify Fix Applied:
Verify the same URL returns access denied or proper authentication required📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /wp-content/plugins/metform/core/forms/action.php from unauthenticated users
- Unusual API key usage patterns in third-party services
Network Indicators:
- GET requests to action.php endpoint without authentication headers
- Sudden outbound connections to third-party API services from new IPs
SIEM Query:
source="web_access_logs" AND uri="/wp-content/plugins/metform/core/forms/action.php" AND response="200" AND NOT auth_user="*"🔗 References
- https://gist.github.com/Xib3rR4dAr/6e6c6e5fa1f8818058c7f03de1eda6bf
- https://plugins.trac.wordpress.org/changeset/2711944/metform/trunk/core/forms/action.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/04a46249-b5b2-4082-b520-cdc4a1370bb1?source=cve
- https://gist.github.com/Xib3rR4dAr/6e6c6e5fa1f8818058c7f03de1eda6bf
- https://plugins.trac.wordpress.org/changeset/2711944/metform/trunk/core/forms/action.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/04a46249-b5b2-4082-b520-cdc4a1370bb1?source=cve
