Meta Field Block WordPress Plugin Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Meta Field Block plugin for WordPress, affecting all versions through 1.5.1. The vulnerability arises because the plugin permits users to input arbitrary object IDs and types via block attributes without verifying if the user has the necessary permissions to access the object's metadata. This flaw enables authenticated attackers with Contributor-level access or higher to read user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive information in meta fields, such as WooCommerce, this could result in the exposure of Personally Identifiable Information (PII) like names, email addresses, phone numbers, and physical addresses.

Impact

Exploitation of this vulnerability could lead to unauthorized access and exposure of sensitive user metadata, including Personally Identifiable Information (PII) such as names, email addresses, phone numbers, and physical addresses, especially on sites using WooCommerce.

Remediation

Users are advised to update the Meta Field Block plugin to version 1.5.2 or later.