Description The plugin does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user’s posts.
1. ADMIN: Install Meta Box 2. ADMIN: Add Meta Box fields through code or the premium add-on (https://gist.github.com/sc0ttkclark/f4f1b94d3a8bc7f00614acf5d80dbd2e) 3. CONTRIBUTOR: Add shortcode to any post and specify/guess any post ID + field key and save 4. CONTRIBUTOR: Preview the post and see that custom field is output without any further checks for access Example shortcode: [rwmb_meta object_id="ANY_POST_ID" id="ANY_META_BOX_FIELD_KEY"]
Example shortcode for my Gist: [rwmb_meta object_id="1234" id="test_field"]
CPE | Name | Operator | Version |
---|---|---|---|
eq | 5.9.4 |