PatchSiren cyber security CVE debrief
CVE-2026-3173 mr2p CVE debrief
The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference (IDOR) in all versions up to and including 1.5.1. The plugin fails to validate whether authenticated users have permission to access requested object metadata when users specify arbitrary object IDs and object types via block attributes. This allows authenticated attackers with Contributor-level access or higher to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields, such as WooCommerce billing and shipping information, this vulnerability could expose Personally Identifiable Information including names, email addresses, phone numbers, and physical addresses. The vulnerability was assigned a CVSS 3.1 score of 6.5 (Medium severity) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The weakness is categorized as CWE-639: Authorization Bypass Through User-Controlled Key. A changeset (3472303) has been committed to address this issue in the WordPress plugin repository.
- Vendor
- mr2p
- Product
- Meta Field Block – Display custom fields in the Block Editor without coding
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
WordPress site administrators running the Meta Field Block plugin; e-commerce operators using WooCommerce with this plugin installed; security teams monitoring for IDOR vulnerabilities in content management systems; compliance officers responsible for PII protection in WordPress environments
Technical summary
The Meta Field Block plugin registers a Gutenberg block that renders metadata from WordPress objects (posts, users, terms). The block accepts 'objectId' and 'objectType' attributes without server-side authorization checks against the requesting user's capabilities. When a post containing this block is rendered, the plugin's server-side callback (meta-field-block.php lines 206 and 328 per source references) retrieves metadata using the provided identifiers directly, bypassing WordPress's standard capability checks. This IDOR pattern allows horizontal and vertical privilege escalation for meta data access. The vulnerability is exploitable by any authenticated user with block editing capabilities (Contributor+ in default WordPress configurations) by crafting or modifying posts to include malicious block attributes targeting arbitrary object IDs.
Defensive priority
medium
Recommended defensive actions
- Update the Meta Field Block WordPress plugin to version 1.5.2 or later, which contains changeset 3472303 addressing this vulnerability
- Review WordPress user accounts with Contributor or higher privileges for any unauthorized access patterns
- Audit sites running WooCommerce or other plugins storing PII in meta fields for potential data exposure
- Consider implementing additional access controls on sensitive meta fields until patching is complete
- Monitor for unauthorized meta data access attempts in WordPress security logs
Evidence notes
Vulnerability description and technical details sourced from NVD record published 2026-05-28. CVSS vector and score confirmed via NVD. WordPress plugin repository changeset 3472303 identified as remediation commit. Wordfence threat intelligence reference provides additional context on affected versions and attack requirements. Vendor attribution marked as 'Unknown Vendor' with low confidence in source corpus; product identified as 'Meta Field Block' WordPress plugin based on reference domain analysis.
Official resources
2026-05-28