CVE-2026-24611: WordPress MetForm Pro plugin <= 3.9.1 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in MetForm Pro <= 3.9.1 versions.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Broken access control in the MetForm Pro WordPress plugin (versions 3.9.1 and earlier) allows a remote, unauthenticated attacker to reach restricted functionality without any credentials. The vulnerability is exploitable over the network with no user interaction required, making it trivially reachable from the public internet. Successful exploitation gives an attacker unauthorized read access to sensitive data and the ability to crash or disrupt the affected service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-24611 is available across every HarborGuard environment - the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built WordPress images that bundle MetForm Pro.
AvailableHarborGuard scores this finding at 9.1 CRITICAL using the published CVSS v3.1 vector, and triage routing is available to weight that score against each customer environment's compliance policy and send the alert to the appropriate team inbox automatically.
AvailableNo fix version has been published upstream for CVE-2026-24611 as of the record date. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment WPMet publishes a remediated release.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress installation over the network; any internet-facing deployment is directly exposed.
- AuthenticationNot required
No credentials of any kind are needed; the access control bypass is reachable by a fully anonymous request.
- Victim interactionNot required
No user action is required; the attacker sends requests directly to the server without any social-engineering step.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.
Blast Radius
- Reads restricted form submissions, user records, or other data protected by the broken access control check.
- Triggers denial-of-service conditions that crash or make the MetForm Pro plugin and the hosting WordPress site unavailable.
- Provides a foothold for further enumeration of WordPress internals exposed through unguarded endpoints.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged immediately on any image found to include MetForm Pro 3.9.1 or earlier, with a CRITICAL-severity alert routed according to each customer organization's compliance policy. Because no upstream patch exists yet, HarborGuard monitors the Patchstack and WPMet advisory feeds on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is published. In the interim, compensating controls available through HarborGuard include network-policy isolation to restrict inbound access to the WordPress service to known-safe IP ranges, and egress filtering to limit lateral movement if the plugin endpoint is abused. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will initiate without manual intervention as soon as the fix is available upstream.
- WPMet / MetForm Pro≤ 3.9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H