CVE-2026-49051

Vulnerability

The WP Meta and Date Remover plugin for WordPress, versions up to 2.3.6, contains a missing authorization vulnerability [1]. This broken access control issue allows attackers to exploit incorrectly configured access control security levels. The plugin fails to properly verify permissions or nonce tokens on certain functions, making them accessible without authentication.

Exploitation

An attacker can exploit this vulnerability remotely without any authentication or user interaction [1]. By sending crafted HTTP requests to the vulnerable endpoints, the attacker can trigger the missing authorization flaw. No special network position or prior access is required.

Impact

Successful exploitation enables an attacker to perform actions that should be restricted to higher-privileged users, such as modifying or removing post meta and dates [1]. This could lead to unauthorized data manipulation, site defacement, or other integrity impacts. The vulnerability is known to be used in mass-exploit campaigns.

Mitigation

As of the publication date, no patched version of the plugin has been released [1]. Users should update to a fixed version as soon as it becomes available. If unable to update, consider disabling the plugin or implementing additional access controls. The vulnerability is tracked in the Patchstack database.