CVE-2026-4068
CSRF Vulnerability in WordPress Add Custom Fields Plugin Allows Field Deletion
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | add_custom_fields_to_media | to 2.0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Add Custom Fields to Media plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 2.0.3. This vulnerability occurs because the plugin does not verify a security nonce when deleting custom media fields via a GET request. While adding fields requires nonce validation, deleting fields does not, allowing an attacker to trick an authenticated site administrator into clicking a malicious link that deletes arbitrary custom media fields without their consent.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to delete arbitrary custom media fields by tricking a site administrator into performing an action such as clicking a specially crafted link. This can lead to loss of important metadata associated with media items, potentially disrupting site functionality or content management.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves the deletion of custom media fields via a GET request with a 'delete' parameter lacking proper nonce verification in versions up to 2.0.3 of the Add Custom Fields to Media WordPress plugin."}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the WordPress admin interface that include the 'delete' parameter in the URL query string without a valid nonce."}, {'type': 'paragraph', 'content': 'For example, you can search your web server logs for suspicious GET requests like:'}, {'type': 'list_item', 'content': "GET requests to URLs containing 'delete=' parameter targeting the plugin's admin page."}, {'type': 'list_item', 'content': "Requests missing a valid nonce parameter (e.g., '_wpnonce') in the query string."}, {'type': 'paragraph', 'content': 'A sample command to search Apache or Nginx logs for such requests might be:'}, {'type': 'list_item', 'content': "grep -i 'delete=' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'delete=' /var/log/nginx/access.log"}, {'type': 'paragraph', 'content': 'Further filtering can be done to identify requests without a nonce parameter or with suspicious referrers that might indicate CSRF attempts.'}] [1, 4]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update the Add Custom Fields to Media plugin to version 2.0.4 or later, which includes a security fix that adds nonce verification to the deletion operation, preventing CSRF attacks.
If immediate updating is not possible, consider temporarily disabling the plugin or restricting access to the WordPress admin area to trusted users only.
Additionally, monitor and audit admin actions and web server logs for suspicious deletion requests as a precaution.
Ensure that WordPress and all plugins are kept up to date to benefit from security patches.