CVE-2026-4068

Name of the Vulnerable Software and Affected Versions Add Custom Fields to Media plugin for WordPress versions up to and including 2.0.3

Description The Add Custom Fields to Media plugin for WordPress is susceptible to Cross-Site Request Forgery. This is a result of a lack of nonce validation on the field deletion functionality within the admin display template. While nonce validation is present for adding fields, the deletion process, which utilizes the $ GET['delete'] parameter and calls update option(), lacks this crucial security measure. This allows attackers to delete custom media fields by forging requests, provided they can induce a site administrator to perform an action, such as clicking a malicious link.

Recommendations Update the Add Custom Fields to Media plugin to a version later than 2.0.3.