Plattform
wordpress
Komponente
add-custom-fields-to-media
Behoben in
2.0.4
CVE-2026-4068 represents a Cross-Site Request Forgery (XSRF) vulnerability affecting the Add Custom Fields to Media plugin for WordPress. This flaw allows unauthenticated attackers to delete custom media fields by crafting malicious requests. The vulnerability impacts versions from 0.0.0 through 2.0.3. A patch is available in version 2.0.4.
An attacker can exploit this XSRF vulnerability to delete arbitrary custom media fields within a WordPress site. This could disrupt workflows, remove important metadata associated with media files, and potentially lead to data loss. While the direct impact might seem limited, the ability to modify site configuration through forged requests can be a stepping stone for further attacks, especially if custom fields are integral to site functionality. The lack of nonce validation on the deletion functionality makes this vulnerability relatively easy to exploit.
This vulnerability was publicly disclosed on 2026-03-19. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the plugin's popularity suggest a potential for opportunistic attacks. No Proof of Concept (PoC) code has been publicly released, but the vulnerability is straightforward to exploit given the missing nonce validation. It is not currently listed on the CISA KEV catalog.
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-4068 is to immediately upgrade the Add Custom Fields to Media plugin to version 2.0.4 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out requests containing the 'delete' parameter in the GET request without proper authentication. Additionally, restrict access to the plugin's admin pages to authorized users only. After upgrading, confirm the fix by attempting to delete a custom media field via a crafted XSRF request – it should be rejected.
Aktualisieren Sie auf Version 2.0.4 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a Cross-Site Request Forgery (XSRF) vulnerability in the Add Custom Fields to Media WordPress plugin, allowing attackers to delete custom media fields.
If you're using the Add Custom Fields to Media plugin in versions 0.0.0 through 2.0.3, you are potentially affected by this vulnerability.
Upgrade the plugin to version 2.0.4 or later to resolve the XSRF vulnerability. Consider WAF rules as a temporary workaround.
There are currently no reports of active exploitation campaigns targeting CVE-2026-4068, but the ease of exploitation warrants caution.
Refer to the official WordPress security advisories and the Add Custom Fields to Media plugin developer's website for more information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.