PT-2026-44188 · WordPress · Meta Field Block
Published
2026-05-28
·
Updated
2026-05-28
·
CVE-2026-3173
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Meta Field Block versions prior to 1.5.2
Description
The plugin is subject to Insecure Direct Object Reference, a condition where an application provides direct access to objects based on user-supplied input. The issue arises because the software allows users to specify arbitrary object IDs and object types through block attributes without verifying if the authenticated user has the necessary permissions to access the metadata of the requested object. Consequently, authenticated attackers with Contributor-level access or higher can read arbitrary user meta, post meta, and term meta data from any object in the database. In environments where other plugins store sensitive data in meta fields, such as WooCommerce billing or shipping information, this can result in the exposure of Personally Identifiable Information (PII), including names, email addresses, phone numbers, and physical addresses.
Recommendations
Update the plugin to a version later than 1.5.1.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Meta Field Block