CVE-2016-20083
Received Received - Intake
Cross-Site Request Forgery in WordPress More Fields Plugin

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulnCheck

Description
WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxes on the Write/Edit page via POST and GET requests to the options-general.php endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2016-20083
EUVD
EUVD-2016-10895
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
more_fields_plugin more_fields to 2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the CVE-2016-20083 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The WordPress More Fields Plugin version 2.1 contains a Cross-Site Request Forgery (CSRF) vulnerability that disables CSRF token validation for all functions.

This flaw allows attackers to craft malicious web pages that trick logged-in administrators into performing unauthorized actions such as adding or deleting custom fields and boxes on the Write/Edit page via POST or GET requests to the options-general.php endpoint.

Impact Analysis

This vulnerability can lead to unauthorized modifications in the WordPress admin interface.

An attacker can exploit this flaw to add or delete any number of extra custom fields and boxes on the Write/Edit page without the administrator's consent.

Such unauthorized changes could disrupt website functionality, content management, or introduce malicious content.

Detection Guidance

This vulnerability involves unauthorized POST or GET requests to the options-general.php endpoint that add or delete custom fields and boxes without valid CSRF tokens.

To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting the options-general.php endpoint, especially those that perform POST or GET actions related to adding or deleting fields or boxes in the WordPress admin panel.

Suggested commands include using network traffic analysis tools or web server logs to filter requests:

  • Using grep on web server access logs to find suspicious POST or GET requests to options-general.php: grep -i 'options-general.php' /var/log/apache2/access.log | grep -E 'POST|GET'
  • Using tcpdump or Wireshark to capture HTTP traffic and filter for requests to options-general.php.
  • Reviewing WordPress admin activity logs (if available) for unexpected changes to custom fields or boxes.
Mitigation Strategies

Immediate mitigation steps include preventing exploitation by disabling or replacing the vulnerable More Fields plugin, as it lacks CSRF token validation.

Since the More Fields plugin development has ceased and no updates are available, the recommended solution is to switch to a different plugin that properly implements CSRF protections.

Additionally, restrict administrative access to trusted users only and consider implementing web application firewall (WAF) rules to block suspicious POST or GET requests to options-general.php.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2016-20083. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart