← back
CVE-2024-1204

Meta Box < 5.9.4 - Contributor+ Arbitrary Posts' Custom Field Disclosure

CVSS 4.3 MEDIUMEPSS 0.5%
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.3EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
15 Apr 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Meta Box WordPress plugin before 5.9.4 does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user's posts.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected products
Unknown · Meta Box