Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2016-20083

CVE-2016-20083: WordPress More Fields Plugin CSRF Flaw

CVE-2016-20083 is a cross-site request forgery flaw in WordPress More Fields Plugin 2.1 that lets attackers trick admins into unauthorized actions. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2016-20083 Overview

CVE-2016-20083 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress More Fields plugin version 2.1. The plugin disables CSRF token validation, allowing attackers to forge state-changing requests on behalf of authenticated administrators. An attacker who lures a logged-in administrator to a malicious page can add or delete custom fields and boxes on the Write/Edit page through unauthenticated POST and GET requests to options-general.php. The flaw is tracked under CWE-352: Cross-Site Request Forgery and affects WordPress sites running the vulnerable plugin version.

Critical Impact

Attackers can modify or remove custom field configurations on a WordPress site by tricking an authenticated administrator into visiting a crafted page, leading to content management tampering and potential disruption of editorial workflows.

Affected Products

  • WordPress More Fields Plugin 2.1
  • WordPress installations using the More Fields plugin
  • Sites where administrators access the plugin's options-general.php configuration endpoint

Discovery Timeline

  • 2026-06-15 - CVE-2016-20083 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2016-20083

Vulnerability Analysis

The More Fields plugin extends WordPress by enabling administrators to define custom fields and boxes for the Write/Edit page. Configuration changes are processed through the plugin's handler invoked via options-general.php. The plugin accepts both POST and GET requests for state-changing operations such as creating or deleting custom field configurations.

Because the plugin disables CSRF token validation, the server cannot distinguish between legitimate administrator-initiated requests and forged requests originating from a third-party page. An attacker hosts a malicious page containing an auto-submitting form or image tag that targets the plugin's endpoint. When an authenticated administrator visits the page, the browser attaches the session cookie and the server executes the action.

The vulnerability does not require attacker authentication and exploits the trust the application places in the administrator's session. Successful exploitation results in unauthorized modification of plugin configuration data.

Root Cause

The root cause is the absence of anti-CSRF nonce verification on the plugin's administrative request handlers. WordPress provides the wp_nonce_field() and check_admin_referer() APIs to mitigate CSRF, but the More Fields 2.1 plugin does not invoke these checks before processing add or delete operations on custom fields and boxes.

Attack Vector

Exploitation is performed over the network through a victim's browser. The attacker delivers a link or embedded content (email, forum post, malvertising) that triggers a request to the WordPress administrator's site. Because GET requests are also accepted, an <img> tag pointing to the vulnerable endpoint is sufficient to trigger the action. No user interaction beyond visiting a page is required once the administrator is already logged in.

No synthetic exploit code is reproduced here. Public technical details are available in Exploit-DB #39507 and the VulnCheck WordPress CSRF Advisory.

Detection Methods for CVE-2016-20083

Indicators of Compromise

  • Unexpected addition, modification, or removal of custom fields or boxes in the WordPress admin interface without corresponding administrator activity in audit logs.
  • HTTP requests to options-general.php with More Fields plugin parameters that originate from external Referer headers rather than the WordPress admin domain.
  • Web server access logs showing GET requests to administrative plugin endpoints, which is atypical for state-changing operations.

Detection Strategies

  • Inspect web server logs for cross-origin Referer values on POST and GET requests to /wp-admin/options-general.php containing More Fields plugin parameters.
  • Correlate plugin configuration changes against administrator session timelines to identify changes that coincide with external browsing activity.
  • Deploy a Web Application Firewall (WAF) rule that flags requests to the More Fields endpoint lacking a valid WordPress nonce parameter.

Monitoring Recommendations

  • Enable WordPress audit logging plugins to record all custom field configuration changes with originating IP and user agent.
  • Monitor for HTTP requests to administrative endpoints with mismatched or absent Origin and Referer headers.
  • Alert on bulk modifications to plugin settings within short time windows, which may indicate automated CSRF exploitation.

How to Mitigate CVE-2016-20083

Immediate Actions Required

  • Audit WordPress installations for the More Fields plugin and identify any sites running version 2.1 or earlier.
  • Deactivate and remove the More Fields plugin if it is not actively maintained or required for site operation.
  • Review custom field and box configurations for unauthorized changes and restore from backups where tampering is suspected.
  • Force re-authentication of administrator sessions and rotate WordPress authentication keys defined in wp-config.php.

Patch Information

No vendor patch is referenced in the available advisory data. The More Fields plugin is no longer actively maintained on the WordPress Plugin Support Page. Site operators should migrate to a maintained custom fields plugin that implements WordPress nonce verification, such as Advanced Custom Fields, and verify CSRF protections in any replacement.

Workarounds

  • Restrict access to /wp-admin/ by IP allowlist at the web server or WAF layer so that administrative endpoints cannot be reached from arbitrary networks.
  • Deploy a WAF rule that rejects requests to More Fields plugin endpoints when a valid _wpnonce parameter is absent.
  • Require administrators to use a separate browser profile or session for WordPress administration to reduce CSRF exposure from general web browsing.
  • Enforce the SameSite=Lax or SameSite=Strict attribute on WordPress authentication cookies to block cross-site cookie attachment on forged requests.
bash
# Example nginx configuration to restrict wp-admin access by IP
location ^~ /wp-admin/ {
    allow 203.0.113.0/24;   # trusted admin network
    deny  all;
    try_files $uri $uri/ /index.php?$args;
}

# Example ModSecurity rule to block CSRF on More Fields endpoint
SecRule REQUEST_URI "@contains /wp-admin/options-general.php" \
    "chain,phase:2,deny,status:403,id:1002016,\
     msg:'Blocked More Fields request missing WordPress nonce'"
    SecRule &ARGS:_wpnonce "@eq 0"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne