Post Meta Data Manager < 1.2.1 – Missing Authorization to Post, Term, and User Meta Deletion | Plugin Vulnerabilities

Description

The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks on the pmdm_wp_ajax_delete_meta, pmdm_wp_delete_user_meta, and pmdm_wp_delete_user_meta functions hooked via nopriv AJAX actions in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to delete arbitrary user, term, and post meta.

Affects Plugins

post-meta-data-manager

Fixed in 1.2.1

References

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1958c166-282d-4469-b79d-4e959e0492c1

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Verified

No

WPVDB ID

fb1594e3-5336-4f67-8d58-a8555ae59c36

Timeline

Publicly Published

2023-10-20 (about 2 years ago)

Added

2023-12-20 (about 2 years ago)

Last Updated

2024-01-12 (about 2 years ago)

Other

Published

Title

Published

2025-08-27

Title

WP Bulk Delete < 1.3.7 - Missing Authorization

Published

2024-06-06

Title

Album Gallery – WordPress Gallery < 1.5.8 - Missing Authorization

Published

2023-08-30

Title

Multiple Plugins from ServMask - Unauthenticated Access Token Update

Published

2023-11-28

Title

Download canvasio3D Light <= 2.5.0 - Subscriber+ Entries Update/Deletion

Published

2022-03-11

Title

Material Design for Contact Form 7 <= 2.6.4 - Subscriber+ Arbitrary Settings Update leading to DoS