Login Sign Up

CVE-2023-5426

7.5 HIGH
Authentication Bypass

📋 TL;DR

The Post Meta Data Manager WordPress plugin up to version 1.2.0 contains missing capability checks on delete functions, allowing unauthenticated attackers to delete user, term, and post metadata belonging to arbitrary users. This affects all WordPress sites running the vulnerable plugin version.

💻 Affected Systems

Products:
  • Post Meta Data Manager WordPress Plugin
Versions: Up to and including 1.2.0
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with the vulnerable plugin version are affected regardless of configuration.

📦 What is this software?

Post Meta Data Manager by Wpexpertplugins

View all CVEs affecting Post Meta Data Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete critical metadata like user roles, post visibility settings, or term relationships, potentially causing site functionality breakdown, data loss, or privilege escalation.

🟠

Likely Case

Attackers delete user metadata to disrupt accounts, remove post metadata to break site content, or delete term metadata to damage site taxonomy and organization.

🟢

If Mitigated

With proper access controls and patching, impact is limited to attempted attacks that fail due to proper authentication and authorization checks.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires no authentication and involves simple HTTP requests to specific AJAX endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.1

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2981559/post-meta-data-manager

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Post Meta Data Manager. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.2.1 from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily deactivate the Post Meta Data Manager plugin until patched.

wp plugin deactivate post-meta-data-manager

Restrict AJAX Access

linux

Block access to wp-admin/admin-ajax.php for unauthenticated users via web application firewall or .htaccess.

# In .htaccess:
<Files "admin-ajax.php">
Order Deny,Allow
Deny from all
Allow from 192.168.0.0/16
</Files>

🧯 If You Can't Patch

  • Remove the Post Meta Data Manager plugin entirely from the WordPress installation.
  • Implement strict network access controls to limit who can reach the WordPress admin AJAX endpoints.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Post Meta Data Manager version. If version is 1.2.0 or lower, you are vulnerable.

Check Version:

wp plugin get post-meta-data-manager --field=version

Verify Fix Applied:

After updating, verify plugin version shows 1.2.1 or higher in WordPress admin plugins list.

📡 Detection & Monitoring

Log Indicators:

  • Multiple POST requests to /wp-admin/admin-ajax.php with action parameters pmdm_wp_delete_user_meta, pmdm_wp_delete_term_meta, or pmdm_wp_ajax_delete_meta from unauthenticated IPs.
  • Unexpected deletions in WordPress user_meta, term_meta, or post_meta database tables.

Network Indicators:

  • Unusual volume of POST requests to WordPress admin-ajax.php endpoint from external IPs.
  • HTTP 200 responses to admin-ajax.php requests without corresponding authentication logs.

SIEM Query:

source="web_logs" AND url="/wp-admin/admin-ajax.php" AND (action="pmdm_wp_delete_user_meta" OR action="pmdm_wp_delete_term_meta" OR action="pmdm_wp_ajax_delete_meta") AND NOT user_agent="WordPress/*"

📊 Metadata

CVE ID: CVE-2023-5426
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Published: October 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON