Meta Box
by WordPress
CVEs (6)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-6526 | Med | 0.42 | 6.4 | 0.00 | Feb 5, 2024 | The Meta Box – WordPress Custom Fields Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom post meta values displayed through the plugin's shortcode in all versions up to, and including, 5.9.2 due to insufficient input sanitization and output… | ||
| CVE-2025-14675 | Hig | 0.40 | 7.2 | 0.01 | Mar 7, 2026 | The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. This makes it possible for authenticated attackers, with Contributor-level access… | ||
| CVE-2024-43235 | Hig | 0.39 | 7.1 | 0.00 | Nov 1, 2024 | Missing Authorization vulnerability in MetaBox.Io Meta Box – WordPress Custom Fields Framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Meta Box – WordPress Custom Fields Framework: from n/a through 5.9.10. | ||
| CVE-2024-1204 | 0.00 | — | 0.00 | Apr 15, 2024 | The Meta Box WordPress plugin before 5.9.4 does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user's posts. | |||
| CVE-2019-14794 | 0.00 | — | 0.00 | Aug 9, 2019 | The Meta Box plugin before 4.16.2 for WordPress mishandles the uploading of files to custom folders. | |||
| CVE-2019-14793 | 0.00 | — | 0.00 | Aug 9, 2019 | The Meta Box plugin before 4.16.3 for WordPress allows file deletion via ajax, with the wp-admin/admin-ajax.php?action=rwmb_delete_file attachment_id parameter. |
- risk 0.42cvss 6.4epss 0.00
The Meta Box – WordPress Custom Fields Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom post meta values displayed through the plugin's shortcode in all versions up to, and including, 5.9.2 due to insufficient input sanitization and output…
- risk 0.40cvss 7.2epss 0.01
The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. This makes it possible for authenticated attackers, with Contributor-level access…
- risk 0.39cvss 7.1epss 0.00
Missing Authorization vulnerability in MetaBox.Io Meta Box – WordPress Custom Fields Framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Meta Box – WordPress Custom Fields Framework: from n/a through 5.9.10.
- CVE-2024-1204Apr 15, 2024risk 0.00cvss —epss 0.00
The Meta Box WordPress plugin before 5.9.4 does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user's posts.
- CVE-2019-14794Aug 9, 2019risk 0.00cvss —epss 0.00
The Meta Box plugin before 4.16.2 for WordPress mishandles the uploading of files to custom folders.
- CVE-2019-14793Aug 9, 2019risk 0.00cvss —epss 0.00
The Meta Box plugin before 4.16.3 for WordPress allows file deletion via ajax, with the wp-admin/admin-ajax.php?action=rwmb_delete_file attachment_id parameter.