Add Custom Fields to Media WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Add Custom Fields to Media plugin for WordPress, affecting all versions through 2.0.3. The issue arises from inadequate nonce validation in the field deletion process within the admin display template. While the plugin correctly verifies nonces for adding fields, the deletion operation processes the 'delete' parameter without any nonce checks. This flaw allows unauthenticated attackers to remove custom media fields by tricking an administrator into clicking a link.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, enabling the deletion of custom media fields without proper authorization.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to a WordPress site with the vulnerable plugin installed. The request must include the 'delete' parameter with the unique ID of the custom field to be removed. This can be done by tricking an administrator into clicking a link that activates the request, such as through a social engineering tactic.

Remediation

Users are advised to update the Add Custom Fields to Media plugin to version 2.0.4 or later.