📄 Description (English)
The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Quiz feature in all versions up to, and including, 3.9.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
🤖 AI Executive Summary
MetForm Pro WordPress plugin versions up to 3.9.6 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Quiz feature that allows unauthenticated attackers to inject malicious scripts. These scripts execute when users access affected pages, potentially compromising user sessions, stealing credentials, or distributing malware. This vulnerability poses significant risk to Saudi organizations using WordPress with MetForm Pro for customer engagement and data collection.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 9, 2026 00:33
🇸🇦 Saudi Arabia Impact Assessment
High impact for Saudi e-commerce platforms, government service portals, banking customer engagement sites, and healthcare patient intake systems using WordPress. Particularly vulnerable are ARAMCO contractor portals, STC customer service platforms, and SAMA-regulated fintech companies using MetForm Pro for quiz-based customer verification or data collection. Stored XSS enables credential theft, session hijacking, and malware distribution affecting thousands of users simultaneously.
🏢 Affected Saudi Sectors
E-commerce and Retail
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
Education
Hospitality and Tourism
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all WordPress installations using MetForm Pro plugin via admin dashboard or WP-CLI: wp plugin list | grep metform
2. Disable MetForm Pro Quiz feature immediately if patch unavailable: Settings > MetForm > Disable Quiz Module
3. Review access logs for suspicious quiz submissions containing script tags or encoded payloads
PATCHING:
1. Update MetForm Pro to version 3.9.7 or later immediately via WordPress admin dashboard
2. Verify update completion: wp plugin list --field=name,version | grep metform
3. Clear all WordPress caches after patching
COMPENSATING CONTROLS (if immediate patching impossible):
1. Implement Web Application Firewall (WAF) rules blocking script injection patterns in quiz submissions
2. Add Content Security Policy (CSP) header: Content-Security-Policy: script-src 'self'; object-src 'none'
3. Enable WordPress security plugin (Wordfence/Sucuri) with XSS protection rules
4. Restrict quiz feature access to authenticated users only via .htaccess or plugin settings
DETECTION:
1. Monitor database for quiz submissions containing: <script>, javascript:, onerror=, onload=, eval(
2. Check WordPress error logs for XSS-related warnings
3. Implement SIEM rules for POST requests to quiz endpoints with encoded payloads
4. Audit user roles with quiz creation/editing permissions
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات WordPress التي تستخدم مكون MetForm Pro عبر لوحة التحكم أو WP-CLI
2. تعطيل ميزة MetForm Pro Quiz فوراً إذا لم يكن التصحيح متاحاً
3. مراجعة سجلات الوصول للبحث عن عمليات إرسال مريبة تحتوي على علامات البرامج النصية
التصحيح:
1. تحديث MetForm Pro إلى الإصدار 3.9.7 أو أحدث فوراً عبر لوحة تحكم WordPress
2. التحقق من اكتمال التحديث
3. مسح جميع ذاكرات التخزين المؤقت في WordPress بعد التصحيح
الضوابط البديلة:
1. تنفيذ قواعد جدار حماية تطبيقات الويب لحجب أنماط حقن البرامج النصية
2. إضافة رأس سياسة أمان المحتوى
3. تفعيل مكون أمان WordPress مع قواعد حماية XSS
4. تقييد وصول ميزة الاختبار للمستخدمين المصرح لهم فقط
الكشف:
1. مراقبة قاعدة البيانات للبحث عن عمليات إرسال تحتوي على برامج نصية ضارة
2. فحص سجلات أخطاء WordPress
3. تنفيذ قواعد SIEM لطلبات POST المريبة
4. تدقيق أدوار المستخدمين بصلاحيات إنشاء الاختبارات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Secure development and change management
ECC 2024 A.14.2.5 - Secure coding practices and input validation
ECC 2024 A.14.3.1 - Testing of security functionality
ECC 2024 A.5.2.3 - User access provisioning and authorization
🔵 SAMA CSF
SAMA CSF 2.1 - Asset Management and Inventory
SAMA CSF 3.2 - Access Control and Authentication
SAMA CSF 4.1 - Vulnerability Management
SAMA CSF 5.2 - Incident Detection and Response
🟡 ISO 27001:2022
ISO 27001:2022 A.8.2.3 - Segregation of duties
ISO 27001:2022 A.14.2.1 - Secure development policy
ISO 27001:2022 A.14.2.5 - Secure coding practices
ISO 27001:2022 A.14.3.1 - Security testing
🟣 PCI DSS v4.0.1
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 6.5.7 - Cross-site scripting prevention
PCI DSS 11.3 - Penetration testing and vulnerability scanning
🔗 References & Sources 5
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/metform-pro/tags/3.9.5/core/features/quiz/lo...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/metform-pro/tags/3.9.5/core/features/quiz/lo...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/metform-pro/tags/3.9.5/core/features/quiz/lo...
security@wordfence.com
https://wpmet.com/plugin/metform/roadmaps/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/e6361ada-f2ba-404e-b9d3-b169d...
security@wordfence.com