CVE-2025-24589
Description
Missing authorization in JSM Show Post Metadata plugin up to 4.6.0 allows unauthorized users to view or delete post metadata.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in JSM Show Post Metadata plugin up to 4.6.0 allows unauthorized users to view or delete post metadata.
Vulnerability
The JSM Show Post Metadata plugin for WordPress (versions from n/a through 4.6.0) suffers from a missing authorization vulnerability. The plugin displays post meta keys and unserialized values in a metabox on the post editing page, and also provides a delete button for metadata. The capability check for viewing and deleting metadata is either missing or incorrectly implemented, allowing users with lower privileges than intended to access the metabox. The plugin's default capability filter 'jsmspm_show_metabox_capability' is set to 'manage_options', but the vulnerability indicates that this check is not enforced properly [1].
Exploitation
An attacker needs to be an authenticated WordPress user with any role that can access the post editing screen (e.g., Author, Contributor, or even Subscriber if the site allows). By navigating to a post, page, or custom post type edit page, the attacker can view the metabox containing all post meta keys and their values. If the delete functionality is also unprotected, the attacker can delete arbitrary post metadata by clicking the delete button. No special privileges or additional conditions are required beyond having a user account with edit access to posts [1].
Impact
Successful exploitation leads to unauthorized disclosure of sensitive post metadata, which may include internal notes, configuration data, or other confidential information stored in custom fields. Additionally, the attacker can delete metadata, causing data loss and potential disruption of site functionality that relies on those custom fields. The impact is limited to information disclosure and integrity loss; no remote code execution or privilege escalation is achieved [1].
Mitigation
The vulnerability is fixed in version 4.7.0 and later. Users should update the plugin to the latest available version (4.8.0 as of the reference date) to remediate the issue. No workarounds are provided in the available references. The plugin is actively maintained, and the fix was released shortly after the vulnerability was disclosed [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=4.6.0+ 1 more
- (no CPE)range: <=4.6.0
- (no CPE)range: <=4.6.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.