id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
15276	Ability to change/delete any post's meta if current user can edit any post.	karevn	ryan	"There is a flaw in the logic responsible for saving custom fields - if the current user can edit any post, he can pass a meta values for the posts which he is not allowed to edit.

Steps to reproduce:
1. Open post editor
2. Add some meta
3. Change some meta field's ID value to some another existing meta ID.
4. Click save - meta will be updated.

The cause of the problem is that when saving meta values, WP does not check if meta really belongs to the post being saved. The related code is inside the function update_meta

"	defect (bug)	closed	normal	3.1	Security	3.0.1	normal	fixed	has-patch	otterish@…