PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49051 Prasad Kirpekar CVE debrief

CVE-2026-49051 is a Missing Authorization vulnerability in the WP Meta and Date Remover WordPress plugin, affecting versions from n/a through 2.3.6. The vulnerability allows exploitation of incorrectly configured access control security levels, enabling authenticated attackers with low privileges to potentially access or modify functionality intended for higher-privileged users. The CVSS 3.1 score of 4.3 (Medium) reflects network attack vector, low attack complexity, low privileges required, no user interaction, and limited confidentiality impact with no integrity or availability impact. The vulnerability was published to the NVD on 2026-05-27 and last modified the same day. The root cause is classified under CWE-862 (Missing Authorization). No known exploitation in the wild or ransomware campaign use has been documented.

Vendor
Prasad Kirpekar
Product
WP Meta and Date Remover
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using WP Meta and Date Remover plugin; security teams managing WordPress installations; compliance officers tracking access control vulnerabilities

Technical summary

The WP Meta and Date Remover plugin fails to properly validate user capabilities before executing sensitive operations, allowing authenticated users with subscriber-level or higher privileges to bypass intended access controls. The vulnerability exists in all versions through 2.3.6 due to missing capability checks on administrative functions.

Defensive priority

medium

Recommended defensive actions

  • Update WP Meta and Date Remover plugin to version 2.3.7 or later when available
  • Review WordPress user role assignments and apply principle of least privilege
  • Audit plugin settings for unauthorized modifications if running affected versions
  • Monitor WordPress audit logs for suspicious activity from low-privileged accounts
  • Consider temporarily disabling the plugin if updates are unavailable and functionality is not critical

Evidence notes

Vulnerability identified through Patchstack security research. NVD status currently 'Deferred' pending additional analysis. CVSS vector confirms authenticated attack scenario with limited impact scope.

Official resources

2026-05-27