MetForm Vulnerability – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor – Authenticated Stored Cross-Site Scripting via Widgets – CVE-2024-2791 | WordPress Plugin Vulnerability Report

Plugin Name: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: metform
  • Software Status: Active
  • Software Author: XpeedStudio
  • Software Downloads: 3,334,058
  • Active Installs: 300,000
  • Last Updated: April 4, 2024
  • Patched Versions: 3.8.6
  • Affected Versions: <= 3.8.5

Vulnerability Details:

  • Name: Metform Elementor Contact Form Builder <= 3.8.5
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Widgets
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2791
  • CVSS Score: 6.4
  • Publicly Published: April 1, 2024
  • Researcher: Dau Hoang Tai - VCI
  • Description: The MetForm plugin, an advanced form builder for WordPress, has been identified with a Stored Cross-Site Scripting (XSS) vulnerability in its widgets. This flaw stems from insufficient sanitization of user-supplied attributes, enabling authenticated users with contributor-level permissions to execute arbitrary scripts, compromising site security and user data.


The widely utilized MetForm plugin harbors a critical vulnerability in versions up to 3.8.5, known as CVE-2024-2791. This security gap allows for Stored XSS attacks through the plugin's widgets, presenting significant risks to both website integrity and user privacy. Fortunately, this concern has been effectively addressed in the latest version, 3.8.6, emphasizing the necessity of timely updates.

Detailed Overview:

Discovered by the vigilant researcher Dau Hoang Tai, this vulnerability exposes websites to potential unauthorized script executions, which could lead to data breaches, site defacement, or more sophisticated attacks such as phishing campaigns. The nature of Stored XSS means the malicious code persists within the website’s content, activating each time an affected page is accessed by users. The release of version 3.8.6 is a vital update that mitigates this vulnerability, ensuring better protection for WordPress sites employing MetForm.

Advice for Users:

  • Immediate Action: Users of the MetForm plugin are strongly advised to update to version 3.8.6 without delay to safeguard their sites against potential exploits stemming from CVE-2024-2791.
  • Check for Signs of Vulnerability: Website administrators should conduct thorough reviews for any unusual content changes or script injections, indicative of exploitation.
  • Alternate Plugins: Although the vulnerability has been patched, exploring alternative form builder plugins could serve as a prudent precautionary measure.
  • Stay Updated: Maintaining the latest versions of all WordPress plugins is essential in ensuring a secure and reliable website environment.


The swift action taken by XpeedStudio to rectify the CVE-2024-2791 vulnerability in the MetForm plugin underscores the critical importance of software updates in maintaining website security. By ensuring that the MetForm plugin is updated to version 3.8.6 or later, users can enhance their defenses against this and other potential vulnerabilities, securing their WordPress installations in an increasingly hostile digital landscape.


Detailed Report: 

In the digital expanse where websites serve as the cornerstone of modern business and communication, the sanctity of your online presence is paramount. The recent identification of a significant vulnerability within the MetForm plugin, a widely utilized tool for creating forms and surveys on WordPress sites, highlights the relentless landscape of cyber threats and the critical need for vigilant website maintenance. The vulnerability, tagged as CVE-2024-2791, emphasizes a fundamental principle in cybersecurity: the indispensability of keeping your website's components, especially plugins, up to date to ward off potential threats.

About MetForm Plugin:

MetForm, crafted by XpeedStudio, stands as a versatile plugin in the WordPress ecosystem, enabling users to create advanced forms, quizzes, and surveys with ease. With its extensive functionality, the plugin has amassed over 300,000 active installations. Despite its popularity, MetForm was found vulnerable to Stored Cross-Site Scripting (XSS) attacks in versions up to 3.8.5, a stark reminder that no digital tool is immune to threats.

Vulnerability Details:

  • CVE-2024-2791: This security flaw within MetForm allows attackers with contributor-level access to execute Stored XSS via the plugin's widgets, stemming from insufficient input sanitization of user-supplied attributes.
  • Impact: The exploitation of this vulnerability could lead to unauthorized script executions, compromising site integrity, user data, and potentially leading to data breaches or phishing attacks.

Addressing the Vulnerability:

In response to this discovery, XpeedStudio promptly released version 3.8.6, effectively patching the vulnerability and bolstering the plugin's defenses. This swift action highlights the importance of immediate remediation in the face of security vulnerabilities.

Historical Context:

MetForm has encountered 19 vulnerabilities since April 23, 2022, underscoring the ongoing battle against cyber threats and the importance of continuous vigilance and updates.


The resolution of CVE-2024-2791 by XpeedStudio underscores the critical role that timely software updates play in safeguarding digital assets. For small business owners, managing the intricacies of website security amidst myriad other responsibilities can be daunting. Yet, the repercussions of neglecting such vulnerabilities can be far-reaching, affecting not just the security but also the reputation and trustworthiness of your online presence. Leveraging automated update features, employing reputable security solutions, and staying informed about potential threats are key strategies to ensure your WordPress site remains secure in an ever-evolving cybersecurity landscape. In the realm of digital security, proactive measures are not merely advisable; they are essential for the continued safety and integrity of your digital doorway.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

MetForm Vulnerability – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor – Authenticated Stored Cross-Site Scripting via Widgets – CVE-2024-2791 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment