CVE-2022-1442: 
WordPress vulnerability analysis and mitigation

The Metform WordPress plugin (versions up to and including 2.1.3) contains a sensitive information disclosure vulnerability identified as CVE-2022-1442. The vulnerability exists due to improper access control in the ~/core/forms/action.php file. The issue was discovered in May 2022 and affects the Metform Elementor Contact Form Builder plugin, which has over 100,000 active installations (WPScan).

The vulnerability stems from improper access control in the ~/core/forms/action.php file, specifically in the get_all_data method. An unauthenticated attacker can exploit this by sending requests to the endpoint /wp-json/metform/v1/forms/get/{form_id_here}. The vulnerability has been assigned a CVSS score of 7.5 (HIGH) and is classified under CWE-200 for sensitive data exposure (NVD, GitHub POC).

When exploited, this vulnerability allows unauthenticated attackers to view all API keys and secrets of integrated third-party APIs, including sensitive credentials for services such as PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA, and others. This exposure of sensitive authentication credentials could lead to unauthorized access to these connected services (WPScan).

The vulnerability was patched in version 2.1.4 of the Metform plugin. Site administrators are strongly advised to update their installations to this version or newer to protect against unauthorized access to sensitive API credentials (WPScan).