PT-2026-44188 · WordPress · Meta Field Block

Published

2026-05-28

·

Updated

2026-05-28

·

CVE-2026-3173

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Meta Field Block versions prior to 1.5.2
Description The plugin is subject to Insecure Direct Object Reference, a condition where an application provides direct access to objects based on user-supplied input. The issue arises because the software allows users to specify arbitrary object IDs and object types through block attributes without verifying if the authenticated user has the necessary permissions to access the metadata of the requested object. Consequently, authenticated attackers with Contributor-level access or higher can read arbitrary user meta, post meta, and term meta data from any object in the database. In environments where other plugins store sensitive data in meta fields, such as WooCommerce billing or shipping information, this can result in the exposure of Personally Identifiable Information (PII), including names, email addresses, phone numbers, and physical addresses.
Recommendations Update the plugin to a version later than 1.5.1.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-3173

Affected Products

Meta Field Block