The Delete Usermeta plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing nonce validation on the delumet_options_page() function. This makes it possible for unauthenticated attackers to remove user meta for arbitrary users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| jose-lazo | Delete Usermetas | unaffected |
|
No data.
No data.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2023-57849 | The Delete Usermeta plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing nonce validation on the delumet_options_page() function. This makes it possible for unauthenticated attackers to remove user meta for arbitrary users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 08 Apr 2026 17:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Delete Usermetas <= 1.1.2 - Cross-Site Request Forgery |
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-04-08T16:41:59.500Z
Reserved: 2023-10-11T22:24:37.762Z
Link: CVE-2023-5537
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-11-22T16:15:13.310
Modified: 2026-04-08T17:17:08.930
Link: CVE-2023-5537
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses