CVE-2026-4068
Received Received - Intake
CSRF Vulnerability in WordPress Add Custom Fields Plugin Allows Field Deletion

Publication date: 2026-03-19

Last updated on: 2026-03-19

Assigner: Wordfence

Description
The Add Custom Fields to Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.3. This is due to missing nonce validation on the field deletion functionality in the admin display template. The plugin properly validates a nonce for the 'add field' operation (line 24-36), but the 'delete field' operation (lines 38-49) processes the $_GET['delete'] parameter and calls update_option() without any nonce verification. This makes it possible for unauthenticated attackers to delete arbitrary custom media fields via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4068
EUVD
EUVD-2026-13070
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence add_custom_fields_to_media to 2.0.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Add Custom Fields to Media plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 2.0.3. This vulnerability occurs because the plugin does not verify a security nonce when deleting custom media fields via a GET request. While adding fields requires nonce validation, deleting fields does not, allowing an attacker to trick an authenticated site administrator into clicking a malicious link that deletes arbitrary custom media fields without their consent.

Impact Analysis

This vulnerability allows unauthenticated attackers to delete arbitrary custom media fields by tricking a site administrator into performing an action such as clicking a specially crafted link. This can lead to loss of important metadata associated with media items, potentially disrupting site functionality or content management.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves the deletion of custom media fields via a GET request with a 'delete' parameter lacking proper nonce verification in versions up to 2.0.3 of the Add Custom Fields to Media WordPress plugin."}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the WordPress admin interface that include the 'delete' parameter in the URL query string without a valid nonce."}, {'type': 'paragraph', 'content': 'For example, you can search your web server logs for suspicious GET requests like:'}, {'type': 'list_item', 'content': "GET requests to URLs containing 'delete=' parameter targeting the plugin's admin page."}, {'type': 'list_item', 'content': "Requests missing a valid nonce parameter (e.g., '_wpnonce') in the query string."}, {'type': 'paragraph', 'content': 'A sample command to search Apache or Nginx logs for such requests might be:'}, {'type': 'list_item', 'content': "grep -i 'delete=' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'delete=' /var/log/nginx/access.log"}, {'type': 'paragraph', 'content': 'Further filtering can be done to identify requests without a nonce parameter or with suspicious referrers that might indicate CSRF attempts.'}] [1, 4]

Mitigation Strategies

The primary mitigation is to update the Add Custom Fields to Media plugin to version 2.0.4 or later, which includes a security fix that adds nonce verification to the deletion operation, preventing CSRF attacks.

If immediate updating is not possible, consider temporarily disabling the plugin or restricting access to the WordPress admin area to trusted users only.

Additionally, monitor and audit admin actions and web server logs for suspicious deletion requests as a precaution.

Ensure that WordPress and all plugins are kept up to date to benefit from security patches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4068. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart