Stored XSS Vulnerability in MetForm Pro Plugin for WordPress
CVE-2026-1261

7.2HIGH

Key Information:

Vendor: WordPress
Status: Metform Pro
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-1261?

The MetForm Pro plugin for WordPress suffers from a vulnerability that allows stored cross-site scripting (XSS) via its Quiz feature. This flaw exists in all versions up to and including 3.9.6 and arises from inadequate input sanitization and output escaping mechanisms. As a result, unauthenticated attackers can inject harmful web scripts that are executed when users visit compromised pages, potentially leading to unauthorized data access and other malicious activities.

Affected Version(s)

MetForm Pro 0 <= 3.9.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/metform-pro/ta...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Jan 20, 2026

Credit

andrea bocchetti

CVE-2026-1261 Data

JSON