CVE-2016-20083
Description
Cross-site request forgery in WordPress More Fields Plugin 2.1 allows an attacker to add or delete custom fields by tricking an administrator into submitting forged requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site request forgery in WordPress More Fields Plugin 2.1 allows an attacker to add or delete custom fields by tricking an administrator into submitting forged requests.
Vulnerability
The WordPress More Fields Plugin version 2.1 disables CSRF token validation for all administrative functions, including adding and deleting custom fields and boxes on the Write/Edit page [1][2]. The vulnerable endpoints are accessed via POST and GET requests to options-general.php with the page=more-fields parameter [1]. No authentication bypass or special configuration is required because the plugin simply omits CSRF checks, making the admin actions reachable without a valid token [2].
Exploitation
An attacker crafts a malicious web page that contains either an auto-submitting form (for adding a box) or a simple link (for deleting a box) that targets the options-general.php endpoint [1]. The attacker must trick a logged-in administrator into visiting that page while their admin session is active [1][2]. For adding a box, the form sends hidden fields such as label, post_types[], position, and action=save [1]. For deleting a box, the request uses a GET query with action=delete and the action_keys parameter set to the box name [1]. No user interaction beyond visiting the page is needed because CSRF tokens are not validated [2].
Impact
A successful CSRF attack allows the attacker to add or delete arbitrary custom fields and boxes on the Write/Edit page in the WordPress admin area [1][2]. The attacker can create misleading fields or remove legitimate ones, which may affect content editors' workflow and potentially lead to data integrity issues [2]. The impact is limited to low-integrity changes (adding/removing metadata fields) and does not directly expose full administrative control, but it can disrupt normal site operation [2].
Mitigation
As of the available references, no patched version of the More Fields Plugin has been released [1][2]. Users are advised to disable or remove the plugin if it is not essential, as there is no known workaround other than ensuring administrators do not visit untrusted web pages while logged in [1][2]. The plugin’s last update appears to be version 2.1, which remains vulnerable [1]. The vulnerability is not listed in the CISA KEV as of the publication date [2].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: =2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"CSRF token validation is disabled for all plugin functions, allowing unauthenticated cross-origin requests to add or delete custom fields and boxes."
Attack vector
An attacker crafts a malicious web page that, when visited by a logged-in administrator, submits a POST or GET request to the `options-general.php` endpoint of the WordPress admin area. Because the plugin does not validate CSRF tokens, the forged request can add or delete custom fields and boxes on the Write/Edit page without the administrator's consent [ref_id=1]. The attack requires no authentication beyond the victim's existing session and can be delivered via standard social engineering (e.g., a link or embedded form).
Affected code
The plugin More Fields version 2.1 disables CSRF token validation for all functions, including the add box and delete box options. The vulnerable endpoint is `options-general.php?page=more-fields` where actions such as `save` and `delete` are processed without verifying a nonce [ref_id=1].
What the fix does
The advisory states that the plugin's development has ceased and no patched version is available. The recommended solution is to add CSRF token validation (i.e., WordPress nonce checks) to all plugin actions, or to switch to a different plugin [ref_id=1]. Without a nonce check, any authenticated administrator can be tricked into performing unintended state changes.
Preconditions
- authThe victim must be logged in as an administrator to the WordPress admin area.
- inputThe attacker must trick the victim into visiting a crafted HTML page (e.g., via a link or embedded form).
- configThe plugin More Fields version 2.1 must be installed and active.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.