Vulnerability Description
The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdm_wp_delete_user_meta, pmdm_wp_delete_term_meta, and pmdm_wp_ajax_delete_meta functions in versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to delete user, term, and post meta belonging to arbitrary users.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wpexpertplugins | Post Meta Data Manager | < 1.2.1 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/2981559/post-meta-data-managerPatch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d6a7f882-4582-4b08-959PatchThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2981559/post-meta-data-managerPatch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d6a7f882-4582-4b08-959PatchThird Party Advisory
FAQ
What is CVE-2023-5426?
CVE-2023-5426 is a vulnerability with a CVSS score of 7.5 (HIGH). The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdm_wp_delete_user_meta, pmdm_wp_delete_term_meta, and pmd...
How severe is CVE-2023-5426?
CVE-2023-5426 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-5426?
Check the references section above for vendor advisories and patch information. Affected products include: Wpexpertplugins Post Meta Data Manager.