Cross-Site Request Forgery Vulnerability in Add Custom Fields to Media Plugin by WordPress
CVE-2026-4068

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Add Custom Fields To Media
Vendor: CVE Published:; 19 March 2026

What is CVE-2026-4068?

The Add Custom Fields to Media plugin for WordPress has a serious Cross-Site Request Forgery vulnerability due to the absence of nonce validation in the field deletion process. This oversight allows an unauthenticated attacker to exploit the plugin and delete custom media fields by sending a crafted request. While nonce validation is implemented for adding fields, the deletion functionality does not perform necessary checks. As a result, if a site administrator unknowingly clicks on a malicious link, the attacker can manipulate the system without any form of authentication, leading to potential data loss and site integrity issues.

Affected Version(s)

Add Custom Fields to Media 0 <= 2.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/add-custom-fie...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2026
Vulnerability Reserved
Mar 12, 2026

Credit

Nabil Irawan

CVE-2026-4068 Data

JSON