The 'Add Custom Fields to Media' WordPress plugin by pattihis contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2026-4068, affecting all versions up to and including 2.0.3. The vulnerability stems from the plugin's failure to implement nonce validation on the deletion functionality of custom media fields within the admin interface. Specifically, while the 'add field' operation correctly validates a nonce token to ensure the legitimacy of the request, the 'delete field' operation processes the $_GET['delete'] parameter without any nonce verification. This omission allows an attacker to craft a malicious URL that, when visited by an authenticated administrator, triggers the deletion of arbitrary custom media fields by calling update_option() without proper authorization checks. The attack vector requires social engineering to convince an admin to click a malicious link, but no prior authentication or elevated privileges are needed by the attacker to initiate the request. The vulnerability impacts the integrity of the media metadata stored via custom fields, potentially disrupting site functionality or content management workflows. Although no exploits have been reported in the wild, the vulnerability has a CVSS 3.1 base score of 4.3, reflecting its medium severity due to the need for user interaction and limited impact scope. The flaw is categorized under CWE-352, which covers CSRF vulnerabilities that exploit missing or improper request validation mechanisms. The plugin's widespread use in WordPress sites that manage media with custom fields makes this a relevant concern for site administrators and security teams.

The primary impact of CVE-2026-4068 is on the integrity of WordPress sites using the vulnerable 'Add Custom Fields to Media' plugin. Attackers can delete arbitrary custom media fields by exploiting the CSRF flaw, potentially leading to loss or corruption of metadata associated with media files. This can disrupt content management, cause display issues, or break functionality relying on these custom fields. Since the attack requires an administrator to click a malicious link, the risk depends on the likelihood of successful social engineering. Confidentiality and availability are not directly affected by this vulnerability. However, the integrity compromise could have downstream effects on site operations and user trust. Organizations with high reliance on media metadata customization, such as media companies, e-commerce sites with rich media catalogs, or content-heavy platforms, may experience operational disruptions. The absence of known exploits reduces immediate risk, but the vulnerability remains a viable attack vector until patched.

To mitigate CVE-2026-4068, site administrators should immediately update the 'Add Custom Fields to Media' plugin to a version that includes nonce validation on the delete operation once available. In the absence of an official patch, administrators can manually implement nonce checks in the plugin's admin display template for the delete field functionality, ensuring that any request to delete a field includes a valid nonce token verified server-side before processing. Additionally, administrators should educate users with admin privileges about the risks of clicking untrusted links and consider implementing Content Security Policy (CSP) headers to reduce the risk of CSRF attacks. Employing security plugins that provide CSRF protection or web application firewalls (WAFs) capable of detecting and blocking suspicious requests can add further defense layers. Regular backups of site data, including media metadata, are essential to recover from any unauthorized changes. Finally, monitoring admin activity logs for unusual deletion events can help detect exploitation attempts early.