CVE-2026-3173
Received Received - Intake
Insecure Direct Object Reference in Meta Field Block WordPress Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object's metadata. This makes it possible for authenticated attackers, with Contributor-level access and above, to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields (e.g., WooCommerce billing/shipping information), this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-3173
EUVD
EUVD-2026-32722
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence meta_field_block to 1.5.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Meta Field Block plugin for WordPress has a vulnerability called Insecure Direct Object Reference (IDOR) in all versions up to and including 1.5.1.

This vulnerability occurs because the plugin allows users to specify arbitrary object IDs and object types through block attributes without checking if the authenticated user has permission to access the metadata of those objects.

As a result, attackers with Contributor-level access or higher can read arbitrary user meta, post meta, and term meta data from any object in the database.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive information stored in meta fields.

On sites using plugins that store sensitive data in meta fields, such as WooCommerce billing and shipping information, attackers could access Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses.

This exposure could compromise user privacy and potentially lead to further attacks or misuse of the leaked data.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows authenticated attackers with Contributor-level access and above to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields, such as WooCommerce billing and shipping information, this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses.

Exposure of such PII can result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart