Metform

Roxnor

Developer

4.0.6

Latest version

600,000

Installations

Sep 1, 2025

Last updated

WordPress Plugin

Active VDP

Report vulnerability

Vulnerabilities

Security Policy

Security Contributors

Vulnerability history

0 present

24 fixed

11 Mitigation rules

Authenticated(Contributor+) Stored Cross-Site Scripting via `mf-template` DOM Element vulnerability
<= 4.0.1
Jul 29, 2025
Server Side Request Forgery (SSRF) vulnerability
<= 3.9.2
Mar 27, 2025
Unauthenticated Double-Extension Arbitrary File Upload vulnerability
<= 3.2.4
Aug 19, 2024
Unauthenticated Sensitive Information Exposure vulnerability
<= 3.8.8
Jun 11, 2024
Broken Access Control vulnerability
<= 3.8.3
Apr 25, 2024
Authenticated (Contributor+) Stored Cross-Site Scripting via Widgets vulnerability
<= 3.8.5
Apr 2, 2024
Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
<= 3.8.3
Mar 8, 2024
Cross-Site Request Forgery vulnerability
<= 3.8.1
Jan 8, 2024
Broken Access Control vulnerability
<= 3.4.0
Dec 26, 2023
Authenticated (Subscriber+) Information Disclosure via 'mf_first_name' shortcode vulnerability
<= 3.3.1
Aug 31, 2023
Cross-Site Request Forgery via permalink_setup vulnerability
<= 3.3.2
Jun 22, 2023
Authenticated (Subscriber+) Information Disclosure via 'mf_payment_status' shortcode vulnerability
<= 3.3.1
Jun 12, 2023
Unauthenticated CSV Injection vulnerability
<= 3.3.0
Jun 12, 2023
Authenticated (Contributor+) Stored Cross-Site Scripting via mf_first_name shortcode vulnerability
<= 3.3.0
Jun 12, 2023
Authenticated (Subscriber+) Information Disclosure via mf_last_name shortcode vulnerability
<= 3.3.1
Jun 12, 2023
Authenticated (Subscriber+) Information Disclosure via mf_thankyou shortcode vulnerability
<= 3.3.1
Jun 12, 2023
Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode vulnerability
<= 3.3.0
Jun 12, 2023
Authenticated (Subscriber+) Information Disclosure via 'mf_transaction_id' shortcode vulnerability
<= 3.3.1
Jun 12, 2023
Authenticated (Contributor+) Stored Cross-Site Scripting via mf shortcode vulnerability
<= 3.3.0
Jun 12, 2023
Authenticated (Subscriber+) Information Disclosure via mf shortcode vulnerability
<= 3.3.1
Jun 12, 2023
Missing Authorization vulnerability
<= 3.3.0
May 5, 2023
reCaptcha Protection Bypass vulnerability
<= 3.2.1
Mar 3, 2023
Unauthenticated Stored Cross-Site Scripting vulnerability
<= 3.1.2
Feb 3, 2023
Unauthenticated API keys and Secrets Disclosure vulnerability
<= 2.1.3
Apr 23, 2022