CVE-2026-1261
📋 TL;DR
The MetForm Pro WordPress plugin has a stored XSS vulnerability in its Quiz feature that allows unauthenticated attackers to inject malicious scripts. When users visit pages containing these scripts, they execute automatically, potentially compromising user sessions or redirecting to malicious sites. All WordPress sites using MetForm Pro version 3.9.6 or earlier are affected.
💻 Affected Systems
- MetForm Pro WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, deface the site, or redirect visitors to malware distribution sites.
Likely Case
Attackers inject malicious JavaScript to steal user session cookies, redirect users to phishing pages, or display unwanted advertisements.
If Mitigated
With proper web application firewalls and input validation, the attack would be blocked before reaching vulnerable code.
🎯 Exploit Status
The vulnerability is in publicly accessible quiz functionality with insufficient input sanitization, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.7 or later
Vendor Advisory: https://wpmet.com/plugin/metform/roadmaps/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find MetForm Pro and check for updates. 4. If update available, click 'Update Now'. 5. If no update appears, download version 3.9.7+ from wpmet.com and manually update.
🔧 Temporary Workarounds
Disable Quiz Feature
allTemporarily disable the vulnerable Quiz functionality until patching is complete.
Navigate to MetForm Pro settings and disable Quiz feature
Web Application Firewall Rules
allImplement WAF rules to block XSS payloads targeting quiz endpoints.
Add WAF rule: Block requests containing <script> tags to /wp-content/plugins/metform-pro/
🧯 If You Can't Patch
- Remove or disable the MetForm Pro plugin entirely
- Implement strict Content Security Policy headers to mitigate script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for MetForm Pro version. If version is 3.9.6 or lower, you are vulnerable.Check Version:
wp plugin list --name=metform-pro --field=versionVerify Fix Applied:
After updating, verify MetForm Pro version shows 3.9.7 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to quiz endpoints
- JavaScript payloads in form submissions
- Multiple failed quiz submissions with script tags
Network Indicators:
- HTTP requests containing <script> tags to /wp-content/plugins/metform-pro/core/features/quiz/
SIEM Query:
source="wordpress.log" AND ("metform-pro" OR "quiz") AND ("<script>" OR "javascript:" OR "onerror=")🔗 References
- https://plugins.trac.wordpress.org/browser/metform-pro/tags/3.9.5/core/features/quiz/loader.php#L121
- https://plugins.trac.wordpress.org/browser/metform-pro/tags/3.9.5/core/features/quiz/loader.php#L69
- https://plugins.trac.wordpress.org/browser/metform-pro/tags/3.9.5/core/features/quiz/loader.php#L85
- https://wpmet.com/plugin/metform/roadmaps/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e6361ada-f2ba-404e-b9d3-b169da44aa90?source=cve
