cbcvebase.
CVE-2022-1442
published 2022-05-10

CVE-2022-1442: The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be…

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
9.11%
94.7th percentile
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpmetmetform_elementor_contact_form_builder< 2.1.42.1.4

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/metform/v1/forms/templates/0
url/wp-json/metform/v1/forms/get/
path~/core/forms/action.php
path/wp-content/plugins/metform
  • Unauthenticated GET request to /wp-json/metform/v1/forms/templates/0 followed by /wp-json/metform/v1/forms/get/{id} returning HTTP 200 with Content-Type application/json and body containing 'mf_recaptcha_secret_key' and 'admin_email_from' indicates successful exploitation.
  • Response body containing 'mf_recaptcha_secret_key' indicates API secrets (PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA, etc.) are being disclosed via the unauthenticated REST endpoint.
  • The first request extracts a numeric form ID from an <option value> HTML element, which is then used in the second request to retrieve sensitive configuration data.
  • ·Vulnerability affects Metform WordPress plugin versions up to and including 2.1.3; version 2.1.4 and above contain the fix.
  • ·The vulnerable REST API endpoint requires no authentication (PR:N, UI:N), making it exploitable by any unauthenticated remote attacker.
  • ·High EPSS score (~74.9%) indicates this vulnerability has a very high probability of exploitation in the wild.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.