CVE-2026-3173
Received Received - Intake
Insecure Direct Object Reference in Meta Field Block WordPress Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object's metadata. This makes it possible for authenticated attackers, with Contributor-level access and above, to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields (e.g., WooCommerce billing/shipping information), this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-3173
EUVD
EUVD-2026-32722
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence meta_field_block to 1.5.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Meta Field Block plugin for WordPress has a vulnerability called Insecure Direct Object Reference (IDOR) in all versions up to and including 1.5.1.

This vulnerability occurs because the plugin allows users to specify arbitrary object IDs and object types through block attributes without checking if the authenticated user has permission to access the metadata of those objects.

As a result, attackers with Contributor-level access or higher can read arbitrary user meta, post meta, and term meta data from any object in the database.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored in meta fields.

On sites using plugins that store sensitive data in meta fields, such as WooCommerce billing and shipping information, attackers could access Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses.

This exposure could compromise user privacy and potentially lead to further attacks or misuse of the leaked data.

Compliance Impact

This vulnerability allows authenticated attackers with Contributor-level access and above to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields, such as WooCommerce billing and shipping information, this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses.

Exposure of such PII can result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart