What the vulnerability does
01Description
WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxes on the Write/Edit page via POST and GET requests to the options-general.php endpoint.
Explanation of Vulnerability in Simple Terms
02Summary
More Fields contains a cross-site request forgery (CSRF) vulnerability that allows an attacker to perform unauthorized actions on behalf of an authenticated user without their knowledge. The vulnerability affects versions 2.1 and requires no special privileges or user interaction beyond the victim being logged in. Site administrators should update to a patched version when available.
What an attacker can do
03Attacker Capabilities
Perform unauthorized actions on the site on behalf of a logged-in user without their consent.
Potential impact on your site
04Site Impact
Attackers can modify site data or settings by tricking administrators into visiting malicious links while logged in.
Conditions required to exploit
05Prerequisites
Victim must be logged in to the site; attacker needs to trick them into visiting a malicious page.
Key dates
06Disclosure timeline
June 15, 2026
CVE published
June 15, 2026
Record updated