VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 15, 2024· Updated Aug 1, 2024

Meta Box < 5.9.4 - Contributor+ Arbitrary Posts' Custom Field Disclosure

CVE-2024-1204

Description

The Meta Box WordPress plugin before 5.9.4 does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user's posts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Members only

The AI Insight narrative is available to signed-in members. Sign in or create a free account to read it.

Affected products

1

Patches

Members only

Discovered fix commits and diffs is available to signed-in members. Sign in or create a free account to read it.

Vulnerability mechanics

Root cause

"Missing access control checks allow Contributor-level users to read custom fields assigned to other users' posts."

Attack vector

An attacker with at least the Contributor role can access arbitrary custom fields (post meta) assigned to other users' posts [ref_id=1]. The plugin fails to enforce proper access control checks when serving custom field data, allowing a low-privileged user to read sensitive metadata belonging to other authors' content [CWE-284]. No special network position is required beyond being an authenticated WordPress user with Contributor privileges.

Affected code

The advisory does not specify exact files or functions. The vulnerability affects the Meta Box WordPress plugin versions before 5.9.4, where custom field access controls are missing.

What the fix does

The advisory states the issue is fixed in Meta Box version 5.9.4 [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds capability checks to ensure that only users with appropriate permissions (e.g., edit_posts or edit_others_posts) can read custom fields belonging to other users' posts.

Preconditions

  • authAttacker must be an authenticated WordPress user with at least the Contributor role
  • configThe Meta Box plugin must be installed and active in a version before 5.9.4

Reproduction

The advisory links to a proof of concept at https://gist.github.com/sc0ttkclark/f4f1b94d3a8bc7f00614acf5d80dbd2e but the full reproduction steps are not included in the provided bundle [ref_id=1].

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.