CVE-2023-5537 in Delete Usermetas Plugininfo

Summary

by MITRE • 11/22/2023

The Delete Usermeta plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing nonce validation on the delumet_options_page() function. This makes it possible for unauthenticated attackers to remove user meta for arbitrary users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/11/2026

The Delete Usermeta plugin for WordPress presents a critical cross-site request forgery vulnerability that affects versions up to and including 1.1.2. This vulnerability stems from the absence of proper nonce validation within the delumet_options_page() function, creating a significant security gap that adversaries can exploit to manipulate user metadata. The flaw specifically targets the plugin's administrative functionality, where legitimate users with administrative privileges are tricked into executing malicious actions without their knowledge or consent. This type of vulnerability falls under the CWE-352 category, which classifies cross-site request forgery flaws as a serious concern in web application security. The vulnerability's impact is particularly concerning because it allows attackers to perform unauthorized operations against user metadata, potentially leading to data corruption, privilege escalation, or user account compromise.

The technical implementation of this vulnerability occurs when an attacker crafts a malicious request that targets the plugin's administrative endpoint. Without nonce validation, the WordPress plugin fails to verify that requests originate from legitimate administrative sessions. This allows an unauthenticated attacker to construct a forged request that, when executed by an administrator, removes user metadata from arbitrary accounts. The attack vector typically involves social engineering techniques where administrators are tricked into clicking malicious links or visiting compromised websites that trigger the forged requests. The vulnerability demonstrates a fundamental failure in the plugin's security implementation, as proper nonce validation should be mandatory for any administrative functions that modify user data. This weakness directly violates security best practices outlined in the OWASP Top Ten and aligns with ATT&CK technique T1078 which covers valid accounts and credential access.

The operational impact of this vulnerability extends beyond simple data manipulation, as it creates potential pathways for more sophisticated attacks. An attacker could use this vulnerability to remove critical user metadata that might affect authentication mechanisms, user permissions, or application functionality. The compromised state could lead to denial of service conditions where users lose access to their accounts, or more insidiously, allow attackers to manipulate user roles and permissions. This vulnerability is particularly dangerous in environments where administrators frequently visit untrusted websites or where social engineering attacks are common. The lack of authentication verification combined with the administrative nature of the affected function creates a dangerous combination that could result in significant data integrity issues. Organizations using affected plugin versions face potential regulatory compliance issues as this vulnerability could be classified as a security breach under data protection regulations such as GDPR or HIPAA, depending on the nature of the data involved.

Mitigation strategies for this vulnerability must be implemented immediately upon discovery of the affected plugin versions. The primary remediation involves updating to the latest version of the Delete Usermeta plugin where nonce validation has been properly implemented. Security administrators should also consider implementing additional protective measures such as network-level restrictions on administrative endpoints, monitoring for suspicious administrative activity, and conducting regular security audits of installed plugins. Organizations should enforce strict access controls and implement multi-factor authentication for administrative accounts to reduce the impact of potential exploitation. The vulnerability highlights the importance of proper input validation and authentication mechanisms in web applications, emphasizing that all administrative functions must include robust security checks. Regular security assessments and vulnerability scanning should be implemented to identify similar issues in other plugins or custom code implementations. Additionally, administrators should maintain updated security awareness training to prevent social engineering attacks that exploit this type of vulnerability, as the attack often relies on human factors rather than purely technical exploitation methods.

Reservation

10/11/2023

Disclosure

11/22/2023

Moderation

accepted

CPE

ready

EPSS

0.00297

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!