Description
The Add Custom Fields to Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.3. This is due to missing nonce validation on the field deletion functionality in the admin display template. The plugin properly validates a nonce for the 'add field' operation (line 24-36), but the 'delete field' operation (lines 38-49) processes the $_GET['delete'] parameter and calls update_option() without any nonce verification. This makes it possible for unauthenticated attackers to delete arbitrary custom media fields via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-03-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Deletion of Media Custom Fields
Action: Patch Now
AI Analysis

Impact

The Add Custom Fields to Media plugin for WordPress allows Cross‑Site Request Forgery (CWE‑352) due to missing nonce validation when the 'delete' parameter is processed in the admin display template. An unauthenticated attacker can issue a crafted GET request that triggers update_option() to delete an arbitrary custom media field, provided a site administrator follows a malicious link. This results in loss of media metadata and possible disruption of dependents that rely on the deleted fields, affecting data integrity and site functionality.

Affected Systems

All installations of the Add Custom Fields to Media plugin from vendor pattihis with version 2.0.3 or earlier are vulnerable. No specific sub‑versions beyond 2.0.3 are listed; any release after 2.0.3 that includes nonce validation for the delete operation is considered safe.

Risk and Exploitability

The CVSS base score is 4.3, indicating moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The flaw can be exploited by directing an administrator who is logged into the WordPress admin area to visit a malicious URL with the 'delete' parameter, thereby performing the deletion without requiring any additional credentials. The risk is moderate and mainly impacts the integrity of custom media field data.

Generated by OpenCVE AI on March 19, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Add Custom Fields to Media plugin to the latest version that includes nonce validation for the delete operation.
  • If an upgrade is not immediately possible, disable the delete functionality by removing or commenting out the relevant code in the plugin files.
  • Apply a Web Application Firewall or CSRF protection plugin to block unauthorized GET requests to the delete action within the admin area.
  • Ensure that only trusted administrators have access to the WordPress admin interface and consider implementing two‑factor authentication.
  • Regularly verify the integrity of the plugin files and monitor for unauthorized modifications.

Generated by OpenCVE AI on March 19, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Pattihis
Pattihis add Custom Fields To Media
Wordpress
Wordpress wordpress
Vendors & Products Pattihis
Pattihis add Custom Fields To Media
Wordpress
Wordpress wordpress

Thu, 19 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Add Custom Fields to Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.3. This is due to missing nonce validation on the field deletion functionality in the admin display template. The plugin properly validates a nonce for the 'add field' operation (line 24-36), but the 'delete field' operation (lines 38-49) processes the $_GET['delete'] parameter and calls update_option() without any nonce verification. This makes it possible for unauthenticated attackers to delete arbitrary custom media fields via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Title Add Custom Fields to Media <= 2.0.3 - Cross-Site Request Forgery to Custom Field Deletion via 'delete' Parameter
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Pattihis Add Custom Fields To Media
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:27.727Z

Reserved: 2026-03-12T19:38:07.679Z

Link: CVE-2026-4068

cve-icon Vulnrichment

Updated: 2026-03-19T17:12:18.464Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T07:16:00.090

Modified: 2026-03-19T13:25:00.570

Link: CVE-2026-4068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:15:51Z

Weaknesses