CVE-2026-3173 Overview
CVE-2026-3173 is an Insecure Direct Object Reference (IDOR) vulnerability in the Meta Field Block plugin for WordPress, affecting all versions up to and including 1.5.1. The plugin accepts arbitrary object IDs and object types through block attributes without verifying whether the authenticated user has permission to access the requested metadata. Authenticated attackers with Contributor-level access or higher can read arbitrary user meta, post meta, and term meta from any object in the database. Sites running plugins that store sensitive data in meta fields, such as WooCommerce billing and shipping records, are exposed to leakage of names, email addresses, phone numbers, and physical addresses.
Critical Impact
Authenticated Contributor-level users can read arbitrary user, post, and term metadata, exposing Personally Identifiable Information (PII) stored by plugins such as WooCommerce.
Affected Products
- Meta Field Block plugin for WordPress, versions up to and including 1.5.1
- WordPress sites with Contributor-level or higher user registration enabled
- Sites combining the plugin with WooCommerce or similar plugins storing PII in meta fields
Discovery Timeline
- 2026-05-28 - CVE-2026-3173 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-3173
Vulnerability Analysis
The Meta Field Block plugin renders WordPress metadata inside Gutenberg blocks. The block accepts user-controlled attributes specifying which object's metadata to retrieve. The plugin reads these attributes and queries the database directly with get_post_meta, get_user_meta, or get_term_meta style functions without confirming the requester is authorized to view the target object.
This design flaw maps to [CWE-639: Authorization Bypass Through User-Controlled Key]. Any user able to insert or render the block, which includes Contributors, can iterate object IDs across the site. The vulnerability does not require administrative privileges, social engineering, or chaining with other flaws.
Root Cause
The code paths referenced in the WordPress plugin source at line 206 and line 328 trust the objectId and objectType attributes supplied by the block. The plugin omits a current_user_can capability check tying the requester to the target object before returning metadata. As a result, the server returns meta values for any object the database contains.
Attack Vector
An attacker authenticates as a Contributor or higher, creates or edits a draft post, and inserts the Meta Field Block. The attacker sets objectType to user, post, or term and supplies an arbitrary objectId. Rendering the block returns the requested meta value in the editor preview. By iterating IDs, the attacker enumerates email addresses, WooCommerce billing addresses, password reset keys, and other sensitive meta stored on the site. The vulnerability is exploitable remotely over the network and requires no user interaction beyond the attacker's own session.
No public proof-of-concept code is referenced in the advisory. See the Wordfence vulnerability analysis for additional technical context.
Detection Methods for CVE-2026-3173
Indicators of Compromise
- REST API requests to /wp-json/wp/v2/block-renderer/meta-field-block/meta-field-block containing varying objectId values from the same authenticated user
- Unusual spikes in block render requests from Contributor or Author accounts
- Sequential or scripted enumeration patterns across user IDs, post IDs, or term IDs in WordPress access logs
Detection Strategies
- Review WordPress access logs for repeated block-renderer requests referencing the Meta Field Block from non-administrative accounts
- Correlate session activity for Contributor accounts that access meta data belonging to other users or unpublished posts
- Inspect draft post revisions for Meta Field Block instances referencing user or term object types from non-privileged authors
Monitoring Recommendations
- Enable WordPress audit logging to capture REST API calls and block render operations with user attribution
- Forward web server and WordPress logs to a centralized SIEM for enumeration pattern analysis
- Alert on any non-administrator account issuing more than a configurable threshold of block-renderer requests within a short window
How to Mitigate CVE-2026-3173
Immediate Actions Required
- Update the Meta Field Block plugin to a version later than 1.5.1 that includes the fix from WordPress changeset #3472303
- Audit Contributor, Author, and Editor accounts for unexpected activity and reset credentials where compromise is suspected
- Review meta fields populated by WooCommerce and similar plugins to determine the scope of potentially exposed PII
Patch Information
The vendor addressed the issue in WordPress changeset #3472303, which adds capability checks to the block render endpoint. Site administrators should apply the latest plugin update through the WordPress plugin manager and confirm the installed version is greater than 1.5.1.
Workarounds
- Deactivate the Meta Field Block plugin until the patched version is installed
- Restrict new user registration and limit Contributor-level access to trusted accounts only
- Apply a web application firewall rule to block REST API calls to the meta-field-block renderer from non-administrative roles
# Verify installed plugin version and update via WP-CLI
wp plugin get display-a-meta-field-as-block --field=version
wp plugin update display-a-meta-field-as-block
wp plugin deactivate display-a-meta-field-as-block # temporary workaround if patch unavailable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
