CVE-2023-5426 HIGH

CVE-2023-5426: Post Meta Data Manager <=1.2.0 - Missing Authorization to User, Term, and Post Meta Deletion

Vendor Gandhihitesh9

Product Post Meta Data Manager

Weakness CWE-862 · Missing authorization

Published October 28, 2023

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdm_wp_delete_user_meta, pmdm_wp_delete_term_meta, and pmdm_wp_ajax_delete_meta functions in versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to delete user, term, and post meta belonging to arbitrary users.

Key dates

02Disclosure timeline

October 28, 2023 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-5426 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2024-56004 WordPress Easy Site Importer plugin <= 1.0.1 - Settings Change vulnerability CVE-2025-34171 CasaOS <= 0.4.15 Unauthenticated File and Debug Data Exposure CVE-2024-33565 WordPress Barcode Scanner with Inventory & Order Manager plugin <= 1.5.3 - Unauthenticated Broken Access Control vulnerability CVE-2024-49686 WordPress Landing Page Cat plugin <= 1.7.4 - Broken Access Control vulnerability CVE-2026-4057 Download Manager <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal