Vulnerabilities (CVE)

Filtered by vendor Wpexpertplugins Subscribe
Filtered by product Post Meta Data Manager
Total 4 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-6264 1 Wpexpertplugins 1 Post Meta Data Manager 2024-11-21 N/A 6.4 MEDIUM
The Post Meta Data Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘$meta_key’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2023-5776 1 Wpexpertplugins 1 Post Meta Data Manager 2024-11-21 N/A 4.3 MEDIUM
The Post Meta Data Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the pmdm_wp_ajax_delete_meta, pmdm_wp_delete_user_meta, and pmdm_wp_delete_user_meta functions. This makes it possible for unauthenticated attackers to delete arbitrary user, term, and post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-5426 1 Wpexpertplugins 1 Post Meta Data Manager 2024-11-21 N/A 7.5 HIGH
The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdm_wp_delete_user_meta, pmdm_wp_delete_term_meta, and pmdm_wp_ajax_delete_meta functions in versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to delete user, term, and post meta belonging to arbitrary users.
CVE-2023-5425 1 Wpexpertplugins 1 Post Meta Data Manager 2024-11-21 N/A 8.8 HIGH
The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdm_wp_change_user_meta and pmdm_wp_change_post_meta functions in versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to gain elevated (e.g., administrator) privileges.