Description
The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object's metadata. This makes it possible for authenticated attackers, with Contributor-level access and above, to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields (e.g., WooCommerce billing/shipping information), this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses.
Published: 2026-05-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Meta Field Block plugin for WordPress allows authenticated users to specify arbitrary object IDs and types through block attributes. Because the plugin fails to verify that the user has permission to access the requested object's metadata, a user with Contributor or higher privileges can read meta data of any user, post, or term. This can expose sensitive PII, such as names and addresses, that are stored in meta fields by other plugins (e.g., WooCommerce).

Affected Systems

Any WordPress site running Meta Field Block version 1.5.1 or earlier is vulnerable. Sites that allow contributors to edit or insert Gutenberg blocks and have active Meta Field Block should consider themselves at risk. The flaw is limited to authenticated users; unauthenticated users cannot exploit it.

Risk and Exploitability

The vulnerability carries a CVSS v3.1 score of 6.5, indicating moderate severity. EPSS data is unavailable and the issue is not listed in the CISA KEV catalog, so there is no public evidence of exploitation yet. Successful exploitation requires login with at least Contributor access and ability to edit blocks. Once these prerequisites are met, the attack is trivial by adding or editing a block that references the vulnerable attribute. The resulting privilege escalation permits arbitrary reading of meta data, which constitutes a moderate threat to confidentiality.

Generated by OpenCVE AI on May 28, 2026 at 08:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Meta Field Block plugin to the latest release that fixes the insecure direct object reference flaw.
  • Restrict Gutenberg block editing privileges to administrators or other trusted users; remove Contributor role permission to edit blocks if possible.
  • If an immediate upgrade is not feasible, disable the plugin on publicly facing pages or limit its use to internal back‑office areas, and monitor block editor activity for signs of unauthorized meta access.

Generated by OpenCVE AI on May 28, 2026 at 08:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Mr2p
Mr2p meta Field Block – Display Custom Fields In The Block Editor Without Coding
Wordpress
Wordpress wordpress
Vendors & Products Mr2p
Mr2p meta Field Block – Display Custom Fields In The Block Editor Without Coding
Wordpress
Wordpress wordpress

Thu, 28 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object's metadata. This makes it possible for authenticated attackers, with Contributor-level access and above, to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields (e.g., WooCommerce billing/shipping information), this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses.
Title Meta Field Block <= 1.5.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary User Meta Exposure
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Mr2p Meta Field Block – Display Custom Fields In The Block Editor Without Coding
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:36:49.835Z

Reserved: 2026-02-24T23:12:47.134Z

Link: CVE-2026-3173

cve-icon Vulnrichment

Updated: 2026-05-28T10:36:44.178Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T06:16:26.917

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-3173

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T08:30:12Z

Weaknesses