CVE-2026-3173
Description
The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object's metadata. This makes it possible for authenticated attackers, with Contributor-level access and above, to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields (e.g., WooCommerce billing/shipping information), this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Meta Field Block plugin up to 1.5.1 lacks permission checks when rendering metadata, letting authenticated contributors read arbitrary user/post/term meta, including PII.
Vulnerability
The Meta Field Block plugin for WordPress (all versions up to and including 1.5.1) contains an Insecure Direct Object Reference (IDOR) vulnerability in its block rendering functionality. The plugin allows users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object's metadata [1][2]. This affects the meta-field-block.php component which processes block attributes and retrieves metadata for display.
Exploitation
An attacker must have at least Contributor-level access to a WordPress site where the Meta Field Block plugin is active and enabled. The attacker crafts or modifies a block instance, setting arbitrary objectID and objectType attributes to target specific database objects (e.g., a user ID, post ID, or term ID). When the block renders, the plugin fetches metadata from the specified object without checking the current user's capabilities on that object [1][2]. No additional privileges or user interaction beyond the initial authentication is required.
Impact
Successful exploitation allows the attacker to read arbitrary user_meta, post_meta, and term_meta from any object in the database. This can expose Personally Identifiable Information (PII) such as names, email addresses, phone numbers, and physical addresses, especially on sites using plugins that store sensitive data in meta fields (e.g., WooCommerce billing/shipping information). The attacker does not gain write access or direct system control, but the confidentiality breach can lead to further privacy violations or targeted attacks.
Mitigation
As of the publication date (2026-05-28), no patched version has been released for the Meta Field Block plugin; the vulnerable line persists in version 1.5.3 [1][2]. Administrators should disable the plugin until a security update is provided. No workaround is available beyond removing the plugin entirely. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.5.1
- Range: <=1.5.1
Patches
1r3472303Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/display-a-meta-field-as-block/trunk/meta-field-block.phpnvd
- plugins.trac.wordpress.org/browser/display-a-meta-field-as-block/trunk/meta-field-block.phpnvd
- plugins.trac.wordpress.org/changeset/3472303/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/247df9e2-0a63-49ad-86fa-cb4c6e62c4cfnvd
News mentions
0No linked articles in our index yet.