Skip to main content

WP Meta and Date Remover CVE-2026-49051

| EUVDEUVD-2026-32541 MEDIUM
Missing Authorization (CWE-862)
2026-05-27 audit@patchstack.com GHSA-gq7p-2w5v-c75x
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:10 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Prasad Kirpekar WP Meta and Date Remover allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects WP Meta and Date Remover: from n/a through 2.3.6.

AnalysisAI

Missing authorization in the WP Meta and Date Remover WordPress plugin (versions through 2.3.6) allows low-privileged authenticated users to exploit incorrectly configured access control levels, resulting in unauthorized read access to restricted information. The CVSS vector (PR:L, C:L) confirms that exploitation requires a valid WordPress account and yields only partial confidentiality exposure with no integrity or availability impact. No public exploit code has been identified and CISA SSVC rates exploitation as none, making this a lower-urgency but real access control gap in WordPress environments running the affected plugin.

Technical ContextAI

The vulnerability is rooted in CWE-862 (Missing Authorization), a class of flaw where a WordPress plugin registers administrative or functional endpoints - typically AJAX handlers or settings-management callbacks - without enforcing proper WordPress capability checks (e.g., current_user_can()). WP Meta and Date Remover is a plugin designed to strip author meta and date information from WordPress post displays; its administrative configuration functionality appears to lack authorization gates, allowing authenticated users below the intended privilege level to interact with those endpoints. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U indicates the flaw is reachable over the network, requires no special conditions or user interaction, is limited in scope to the vulnerable component, and demands only a low-privilege account. The Patchstack audit (audit@patchstack.com) and ENISA EUVD-2026-32541 corroborate the CWE-862 classification.

RemediationAI

Update WP Meta and Date Remover to the version released after 2.3.6 if available; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-meta-and-date-remover/vulnerability/wordpress-wp-meta-and-date-remover-plugin-2-3-6-broken-access-control-vulnerability should be checked for the confirmed fixed version, as no specific patched release number was confirmed in the available intelligence. Additional context may be found at https://vuldb.com/vuln/366384. If a patched version is not yet available or immediate upgrading is not feasible, a compensating control is to restrict WordPress site registration and ensure that only fully trusted users hold any authenticated role (Subscriber and above); this reduces but does not eliminate exposure, as any valid account can trigger the flaw. WordPress administrators may also consider temporarily deactivating the plugin until a patch is confirmed, accepting the trade-off of losing post meta and date stripping functionality. No patch version has been independently confirmed from the available source data.

Share

CVE-2026-49051 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy