Meta Box < 5.9.4 - Contributor+ Arbitrary Posts' Custom Field Disclosure

Description The plugin does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user’s posts.

PoC

1. ADMIN: Install Meta Box 2. ADMIN: Add Meta Box fields through code or the premium add-on (https://gist.github.com/sc0ttkclark/f4f1b94d3a8bc7f00614acf5d80dbd2e) 3. CONTRIBUTOR: Add shortcode to any post and specify/guess any post ID + field key and save 4. CONTRIBUTOR: Preview the post and see that custom field is output without any further checks for access Example shortcode: [rwmb_meta object_id="ANY_POST_ID" id="ANY_META_BOX_FIELD_KEY"] Example shortcode for my Gist: [rwmb_meta object_id="1234" id="test_field"]