CVE-2023-5426
Post Meta Data Manager <=1.2.0 - Missing Authorization to User, Term, and Post Meta Deletion
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdm_wp_delete_user_meta, pmdm_wp_delete_term_meta, and pmdm_wp_ajax_delete_meta functions in versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to delete user, term, and post meta belonging to arbitrary users.
El complemento Post Meta Data Manager para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en las funciones pmdm_wp_delete_user_meta, pmdm_wp_delete_term_meta y pmdm_wp_ajax_delete_meta en versiones hasta la 1.2.0 incluida. Esto hace posible que atacantes no autenticados eliminen usuarios, términos y publicaciones meta pertenecientes a usuarios arbitrarios.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-10-05 CVE Reserved
- 2023-10-27 CVE Published
- 2024-08-02 CVE Updated
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-862: Missing Authorization
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Wpexpertplugins Search vendor "Wpexpertplugins" | Post Meta Data Manager Search vendor "Wpexpertplugins" for product "Post Meta Data Manager" | < 1.2.1 Search vendor "Wpexpertplugins" for product "Post Meta Data Manager" and version " < 1.2.1" | wordpress |
Affected
| ||||||