CVE-2026-3173 is an authorization bypass vulnerability in the Meta Field Block WordPress plugin (up to version 1.5.1). The plugin allows users to specify arbitrary object IDs and types in block attributes without verifying if the user has permission to access the associated metadata. This insecure direct object reference (CWE-639) enables authenticated users with Contributor or higher privileges to read arbitrary user, post, and term meta data from the database. Sensitive information such as names, emails, phone numbers, and addresses stored in meta fields by other plugins (e.g., WooCommerce) may be exposed. The vulnerability is network exploitable with low attack complexity and no user interaction required, but requires authenticated access.

An attacker with Contributor-level or higher access can read arbitrary metadata from any object in the WordPress database, potentially exposing sensitive Personally Identifiable Information (PII) such as billing and shipping details. This compromises confidentiality but does not affect integrity or availability. The impact is significant on sites storing sensitive data in meta fields, increasing privacy risks and potential regulatory compliance issues.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Contributor-level access to trusted users only and monitor for suspicious activity. Avoid storing sensitive information in meta fields accessible by this plugin if possible. Follow updates from the plugin vendor for patches or temporary mitigations.