PatchSiren cyber security CVE debrief
CVE-2016-20083 henrikmelin CVE debrief
CVE-2016-20083 is a cross-site request forgery vulnerability in WordPress More Fields Plugin 2.1. The vulnerability allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxes on the Write/Edit page via POST and GET requests to the options-general.php endpoint.
- Vendor
- henrikmelin
- Product
- More Fields
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators of WordPress sites using the More Fields Plugin 2.1 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 6.9 and a severity of MEDIUM. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a patched version of the More Fields Plugin if available.
- Implement additional security measures such as CSRF token validation.
Evidence notes
The vulnerability was reported by an unknown vendor and has a low confidence level.
Official resources
CVE-2016-20083 was published on 2026-06-15T14:16:31.923Z and last modified on 2026-06-15T14:16:31.923Z.