Description
Missing Authorization vulnerability in Prasad Kirpekar WP Meta and Date Remover allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects WP Meta and Date Remover: from n/a through 2.3.6.
Published: 2026-05-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows an attacker to exploit incorrectly configured access control levels within the WP Meta and Date Remover plugin. This flaw is classified as CWE-862 and can enable the attacker to access or modify plugin functionality that should be restricted, potentially leading to unauthorized removal of metadata or other privileged actions on a WordPress site.

Affected Systems

The affected software is Prasad Kirpekar’s WP Meta and Date Remover plugin for WordPress, with versions from the initial release up to and including 2.3.6. Any WordPress installation using this plugin within that version range is impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score is not available, suggesting limited current exploitation data. The vulnerability is not listed in the CISA KEV catalog. Given the web-facing nature of WordPress, the likely attack vector is a web request to the plugin’s endpoints, and the exploit requires the attacker to have network access to the site. While the impact is moderate, the potential to elevate privileges to a higher user role could be significant in permissive hosting environments.

Generated by OpenCVE AI on May 27, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Meta and Date Remover plugin to a version newer than 2.3.6 if available.
  • Restrict the plan of users by assigning appropriate WordPress roles, ensuring that only trusted administrators can use the plugin.
  • If the plugin is not essential, consider disabling or uninstalling it to eliminate the vulnerability.

Generated by OpenCVE AI on May 27, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Prasadkirpekar
Prasadkirpekar wp Meta And Date Remover
Wordpress
Wordpress wordpress
Vendors & Products Prasadkirpekar
Prasadkirpekar wp Meta And Date Remover
Wordpress
Wordpress wordpress

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Prasad Kirpekar WP Meta and Date Remover allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Meta and Date Remover: from n/a through 2.3.6.
Title WordPress WP Meta and Date Remover plugin <= 2.3.6 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Prasadkirpekar Wp Meta And Date Remover
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T15:34:57.770Z

Reserved: 2026-05-27T10:26:36.699Z

Link: CVE-2026-49051

cve-icon Vulnrichment

Updated: 2026-05-27T15:34:52.132Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T15:16:33.367

Modified: 2026-06-17T10:55:27.850

Link: CVE-2026-49051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:45:05Z

Weaknesses