WP-Safety

Post Meta Data Manager Security & Risk Analysis

wordpress.org/plugins/post-meta-data-manager

View, edit, search, and manage post meta, user meta, and taxonomy meta directly from WordPress edit screens—no database access needed.

1K active installs v1.4.4 PHP + WP 6.0.1+ Updated Feb 23, 2026
custom-post-meta-editorinspectormetameta-fields-editorpost-meta
70
B · Generally Safe
CVEs total6
Unpatched1
Last CVEMar 7, 2025
Plugin page Download
Safety Verdict

Is Post Meta Data Manager Safe to Use in 2026?

Mostly Safe

Score 70/100

Post Meta Data Manager is generally safe to use. 6 past CVEs were resolved. Keep it updated.

6 known CVEs 1 unpatched Last CVE: Mar 7, 2025Updated 1mo ago
Risk Assessment

The "post-meta-data-manager" plugin version 1.4.4 presents a mixed security posture. On the positive side, the static analysis shows a robust implementation regarding SQL queries, all utilizing prepared statements. The presence of multiple nonce and capability checks, along with proper output escaping in a significant portion of cases (70%), suggests an awareness of secure coding practices. Furthermore, the absence of dangerous functions, file operations, and external HTTP requests are strong indicators of a cleaner codebase in these areas. The limited attack surface composed of AJAX handlers, with none found to be unprotected, also contributes to a better security profile.

However, the plugin's historical vulnerability record is a significant concern. A total of 6 known CVEs, with one currently unpatched, and a history of high and medium severity vulnerabilities including Improper Privilege Management, Cross-Site Scripting, CSRF, and Missing Authorization, points to recurring security flaws in its development. The fact that there is an unpatched vulnerability suggests an ongoing risk that users are exposed to. While the taint analysis shows no immediate issues, the historical pattern of critical and high severity vulnerabilities indicates that potential for such issues may exist within the codebase or has existed in previous versions, and the current static analysis might not have captured all potential flaws.

In conclusion, while the static analysis reveals some commendable security practices, particularly in data handling and entry point protection, the plugin's past is marred by numerous and serious vulnerabilities, including an unpatched one. This historical context overshadows the positive static analysis findings. Users should exercise caution and prioritize updating to a version that addresses all known vulnerabilities.

Key Concerns

  • Currently unpatched CVE present
  • 3 High severity vulnerabilities historically
  • 3 Medium severity vulnerabilities historically
  • 30% of outputs not properly escaped
  • Bundled outdated library: DataTables
Vulnerabilities
6

Post Meta Data Manager Security Vulnerabilities

CVEs by Year

4 CVEs in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

High
3
Medium
3

6 total CVEs

CVE-2024-13835high · 7.2Improper Privilege Management

Post Meta Data Manager <= 1.4.4 - Authentciated (Admin+) Multisite Privilege Escalation

Mar 7, 2025Unpatched
CVE-2024-6264medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post Meta Data Manager <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 1, 2024 Patched in 1.3.0 (1d)
CVE-2023-5776medium · 4.3Cross-Site Request Forgery (CSRF)

Post Meta Data Manager <= 1.2.1 - Cross-Site Request Forgery to Post, Term, and User Meta Deletion

Nov 20, 2023 Patched in 1.2.2 (64d)
CVE-2023-5426high · 7.5Missing Authorization

Post Meta Data Manager <=1.2.0 - Missing Authorization to User, Term, and Post Meta Deletion

Oct 27, 2023 Patched in 1.2.1 (88d)
CVE-2023-5425high · 8.8Missing Authorization

Post Meta Data Manager <=1.2.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

Oct 27, 2023 Patched in 1.2.1 (88d)
WF-1958c166-282d-4469-b79d-4e959e0492c1-post-meta-data-managermedium · 5.3Missing Authorization

Post Meta Data Manager <= 1.2.0 - Missing Authorization to Post, Term, and User Meta Deletion

Oct 20, 2023 Patched in 1.2.1 (95d)
Code Analysis
Analyzed Mar 16, 2026

Post Meta Data Manager Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
42
97 escaped
Nonce Checks
6
Capability Checks
9
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

DataTables

Output Escaping

70% escaped139 total outputs
Attack Surface

Post Meta Data Manager Attack Surface

Entry Points3
Unprotected0

AJAX Handlers 3

authwp_ajax_pmdm_wp_delete_metaincludes\admin\class-pmdm-wp-admin.php:684
authwp_ajax_pmdm_wp_delete_user_metaincludes\admin\class-pmdm-wp-admin.php:690
authwp_ajax_pmdm_wp_delete_term_metaincludes\admin\class-pmdm-wp-admin.php:695
WordPress Hooks 12
actionadd_meta_boxesincludes\admin\class-pmdm-wp-admin.php:681
actionadmin_initincludes\admin\class-pmdm-wp-admin.php:682
actionedit_user_profileincludes\admin\class-pmdm-wp-admin.php:687
actionshow_user_profileincludes\admin\class-pmdm-wp-admin.php:688
actionadmin_initincludes\admin\class-pmdm-wp-admin.php:689
actionadmin_initincludes\admin\class-pmdm-wp-admin.php:693
actionadmin_initincludes\admin\class-pmdm-wp-admin.php:694
actionadmin_menuincludes\admin\class-pmdm-wp-admin.php:697
actionadmin_initincludes\admin\class-pmdm-wp-admin.php:698
actionbefore_woocommerce_initincludes\admin\class-pmdm-wp-admin.php:700
actionadmin_enqueue_scriptsincludes\class-pmdm-wp-scripts.php:75
actionplugins_loadedpost-meta-data-manager.php:66
Maintenance & Trust

Post Meta Data Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedFeb 23, 2026
PHP min version
Downloads20K

Community Trust

Rating100/100
Number of ratings15
Active installs1K
Alternatives

Post Meta Data Manager Alternatives

JSM Show Post Metadata

JSM Show Post Metadata

jsm-show-post-meta

A
99

Show post metadata (aka custom fields) in a metabox when editing posts / pages - a great tool for debugging issues with post metadata.

10K 1 CVE
Pure Metafields

Pure Metafields

pure-metafields

A
100

Pure Metafields is very light weight plugin tused to create custom metabox for any post type like page, post and your custom post type support it.

10K No CVEs
Advanced Query Loop

Advanced Query Loop

advanced-query-loop

A
100

Transform your Query Loop blocks into powerful, flexible content engines! 🚀

5K No CVEs
JSM Show User Metadata

JSM Show User Metadata

jsm-show-user-meta

A
100

Show user metadata in a metabox when editing users - a great tool for debugging issues with user metadata.

3K No CVEs
Post Meta Inspector

Post Meta Inspector

post-meta-inspector

A
85

Peer inside your post meta

3K No CVEs
Developer Profile

Post Meta Data Manager Developer Profile

WpExpertPlugins

2 plugins · 1K total installs

75
trust score
Avg Security Score
81/100
Avg Patch Time
67 days
View full developer profile
Detection Fingerprints

How We Detect Post Meta Data Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/post-meta-data-manager/includes/css/datatables.min.css/wp-content/plugins/post-meta-data-manager/includes/css/pmdm-wp.css/wp-content/plugins/post-meta-data-manager/includes/js/datatables.min.js/wp-content/plugins/post-meta-data-manager/includes/js/pmdm-wp.js
Script Paths
/wp-content/plugins/post-meta-data-manager/includes/js/datatables.min.js/wp-content/plugins/post-meta-data-manager/includes/js/pmdm-wp.js
Version Parameters
post-meta-data-manager/includes/js/pmdm-wp.js?ver=post-meta-data-manager/includes/css/pmdm-wp.css?ver=

HTML / DOM Fingerprints

CSS Classes
pmdm-wp-datatable-stylespmdm-wp-style
Data Attributes
data-postid
JS Globals
pmdm_wp_ajax
FAQ

Frequently Asked Questions about Post Meta Data Manager