High severity7.5NVD Advisory· Published May 10, 2022· Updated Apr 8, 2026

CVE-2022-1442

Description

The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.

Affected products

Wpmet/Metform Elementor Contact Form Builder
cpe:2.3:a:wpmet:metform_elementor_contact_form_builder:*:*:*:*:*:wordpress:*:*
Range: <2.1.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changeset/2711944/metform/trunk/core/forms/action.phpnvdPatchThird Party Advisory
gist.github.com/Xib3rR4dAr/6e6c6e5fa1f8818058c7f03de1eda6bfnvdExploitThird Party Advisory
www.wordfence.com/threat-intel/vulnerabilities/id/04a46249-b5b2-4082-b520-cdc4a1370bb1nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.060
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000