PT-2023-6744 · WordPress · Post Meta Data Manager
Francesco Carlucci
·
Published
2023-10-27
·
Updated
2023-11-07
·
CVE-2023-5425
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Post Meta Data Manager plugin for WordPress version 1.2.0 and earlier
Description
The issue is related to a missing capability check on the
pmdm wp change user meta and pmdm wp change post meta functions. This allows authenticated attackers with subscriber-level permissions and above to gain elevated privileges, such as administrator privileges. The vulnerability can be exploited by remote attackers.Recommendations
For Post Meta Data Manager plugin for WordPress version 1.2.0 and earlier, consider disabling the
pmdm wp change user meta and pmdm wp change post meta functions until a patch is available. Restrict access to these functions to minimize the risk of exploitation. Update to a version that includes a fix for this issue when available.Fix
Missing Authorization
Improper Authorization
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Post Meta Data Manager