This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Improper Access Control in `action.php` allows unauthenticated data leakage. π₯ **Consequences**: Attackers can steal sensitive API keys (PayPal, Stripe, Mailchimp, etc.) and secrets.β¦
π‘οΈ **Root Cause**: CWE-862 (Missing Authorization). π **Flaw**: The file `~/core/forms/action.php` lacks proper access checks. π **Result**: No authentication required to access sensitive configuration data.
Q3Who is affected? (Versions/Components)
π₯ **Vendor**: roxnor. π¦ **Product**: MetForm β Contact Form, Survey, Quiz, & Custom Form Builder for Elementor. π **Affected Versions**: Metform <= 2.1.3. π **Platform**: WordPress sites using this specific plugin.
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Privileges**: Unauthenticated (No login needed). π **Data Exposed**: All API keys and secrets for integrated services (PayPal, Stripe, Hubspot, HelpScout, reCAPTCHA, etc.).β¦
π§ **Fix**: Update MetForm plugin to version > 2.1.3. π **Patch**: Official changeset `2711944` in `core/forms/action.php` addresses the access control.β¦
π« **No Patch?**: Disable the MetForm plugin immediately. π **Block**: Restrict access to `/wp-content/plugins/metform/` via `.htaccess` or WAF.β¦
π₯ **Priority**: CRITICAL. β±οΈ **Urgency**: HIGH. πΈ **Risk**: Direct financial impact due to payment gateway keys (Stripe/PayPal) exposure. π **Action**: Patch immediately. Do not wait for next maintenance window.