Description
Missing Authorization vulnerability in JS Morisset JSM Show Post Metadata jsm-show-post-meta allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JSM Show Post Metadata: from n/a through <= 4.6.0.
Published: 2025-01-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The JSM Show Post Metadata plugin for WordPress contains a missing authorization flaw that allows attackers to read post metadata without proper authentication. This weakness, identified as CWE‑862, can expose sensitive content that should be restricted to privileged users, potentially compromising user privacy and site integrity.

Affected Systems

The vulnerability affects JS Morisset’s JSM Show Post Metadata plugin, any installation of the plugin version 4.6.0 or earlier.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while an EPSS score of less than 1% and absence from the CISA KEV catalog suggest low likelihood of current exploitation. The likely attack vector would involve sending unauthenticated HTTP requests to the plugin’s endpoints that lack proper access checks, which could be performed remotely from a web browser or automated script. Because the plugin is accessible via the WordPress administration area, the attack could be carried out by any visitor to the site unless additional access controls are enforced.

Generated by OpenCVE AI on May 2, 2026 at 05:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JSM Show Post Metadata plugin to the latest available version to apply the vendor’s fix.
  • Verify the plugin’s configuration to limit metadata access to appropriate user roles, ensuring that only authenticated administrators can view or edit sensitive data.
  • Review WordPress user roles and capabilities to confirm that no excessive privileges are granted, and consider disabling the plugin if it is not required for site functionality.

Generated by OpenCVE AI on May 2, 2026 at 05:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3793 Missing Authorization vulnerability in JS Morisset JSM Show Post Metadata allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JSM Show Post Metadata: from n/a through 4.6.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in JS Morisset JSM Show Post Metadata allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JSM Show Post Metadata: from n/a through 4.6.0. Missing Authorization vulnerability in JS Morisset JSM Show Post Metadata jsm-show-post-meta allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JSM Show Post Metadata: from n/a through <= 4.6.0.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Fri, 24 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in JS Morisset JSM Show Post Metadata allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JSM Show Post Metadata: from n/a through 4.6.0.
Title WordPress JSM Show Post Metadata plugin <= 4.6.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:14:26.837Z

Reserved: 2025-01-23T14:50:49.323Z

Link: CVE-2025-24589

cve-icon Vulnrichment

Updated: 2025-01-24T18:47:48.514Z

cve-icon NVD

Status : Deferred

Published: 2025-01-24T18:15:36.013

Modified: 2026-06-17T08:59:16.607

Link: CVE-2025-24589

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:30:26Z

Weaknesses