Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Prasad Kirpekar WP Meta and Date Remover allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects WP Meta and Date Remover: from n/a through 2.3.6.
AnalysisAI
Missing authorization in the WP Meta and Date Remover WordPress plugin (versions through 2.3.6) allows low-privileged authenticated users to exploit incorrectly configured access control levels, resulting in unauthorized read access to restricted information. The CVSS vector (PR:L, C:L) confirms that exploitation requires a valid WordPress account and yields only partial confidentiality exposure with no integrity or availability impact. No public exploit code has been identified and CISA SSVC rates exploitation as none, making this a lower-urgency but real access control gap in WordPress environments running the affected plugin.
Technical ContextAI
The vulnerability is rooted in CWE-862 (Missing Authorization), a class of flaw where a WordPress plugin registers administrative or functional endpoints - typically AJAX handlers or settings-management callbacks - without enforcing proper WordPress capability checks (e.g., current_user_can()). WP Meta and Date Remover is a plugin designed to strip author meta and date information from WordPress post displays; its administrative configuration functionality appears to lack authorization gates, allowing authenticated users below the intended privilege level to interact with those endpoints. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U indicates the flaw is reachable over the network, requires no special conditions or user interaction, is limited in scope to the vulnerable component, and demands only a low-privilege account. The Patchstack audit (audit@patchstack.com) and ENISA EUVD-2026-32541 corroborate the CWE-862 classification.
RemediationAI
Update WP Meta and Date Remover to the version released after 2.3.6 if available; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-meta-and-date-remover/vulnerability/wordpress-wp-meta-and-date-remover-plugin-2-3-6-broken-access-control-vulnerability should be checked for the confirmed fixed version, as no specific patched release number was confirmed in the available intelligence. Additional context may be found at https://vuldb.com/vuln/366384. If a patched version is not yet available or immediate upgrading is not feasible, a compensating control is to restrict WordPress site registration and ensure that only fully trusted users hold any authenticated role (Subscriber and above); this reduces but does not eliminate exposure, as any valid account can trigger the flaw. WordPress administrators may also consider temporarily deactivating the plugin until a patch is confirmed, accepting the trade-off of losing post meta and date stripping functionality. No patch version has been independently confirmed from the available source data.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32541
GHSA-gq7p-2w5v-c75x