Platform
wordpress
Component
add-custom-fields-to-media
Fixed in
2.0.4
CVE-2026-4068 represents a Cross-Site Request Forgery (XSRF) vulnerability affecting the Add Custom Fields to Media plugin for WordPress. This flaw allows unauthenticated attackers to delete custom media fields by crafting malicious requests. The vulnerability impacts versions from 0.0.0 through 2.0.3. A patch is available in version 2.0.4.
An attacker can exploit this XSRF vulnerability to delete arbitrary custom media fields within a WordPress site using the vulnerable plugin. This could disrupt workflows that rely on these custom fields, potentially leading to data loss or operational issues. While the direct impact might seem limited to field deletion, it can be a component of a broader attack. For example, if these custom fields store sensitive information, their deletion could be a step towards data exfiltration or denial of service. The blast radius is limited to sites using the Add Custom Fields to Media plugin, but the ease of exploitation makes it a concerning risk, particularly for sites with many custom fields.
CVE-2026-4068 was published on 2026-03-19. Severity is assessed as MEDIUM (CVSS 4.3). Public proof-of-concept (POC) code is currently unknown, but the vulnerability's nature makes it relatively easy to exploit. There are no indications of active campaigns targeting this specific vulnerability at this time. Monitor security advisories from WordPress and the plugin developer for updates.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4068 is to upgrade the Add Custom Fields to Media plugin to version 2.0.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include restricting access to the plugin's admin interface to trusted users only, or using a Web Application Firewall (WAF) to filter out potentially malicious requests targeting the field deletion endpoint. WAF rules should specifically look for requests with the 'delete' parameter in the GET request without proper nonce validation. After upgrading, verify the fix by attempting to delete a custom field via a crafted URL; the request should be rejected.
Update to version 2.0.4, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It's a Cross-Site Request Forgery (XSRF) vulnerability in the Add Custom Fields to Media WordPress plugin, allowing attackers to delete custom media fields.
If you're using the Add Custom Fields to Media plugin in versions 0.0.0 through 2.0.3, you are potentially affected by this vulnerability.
Upgrade the plugin to version 2.0.4 or later to resolve the XSRF vulnerability. Consider WAF rules as a temporary workaround.
There are currently no reports of active exploitation campaigns targeting CVE-2026-4068, but the ease of exploitation warrants caution.
Refer to the official WordPress security advisories and the Add Custom Fields to Media plugin developer's website for more information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.