CVE-2024-0613 in Delete Custom Fields Plugininfo

Summary

by MITRE • 05/02/2024

The Delete Custom Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3.1. This is due to missing or incorrect nonce validation on the ajax_delete_field() function. This makes it possible for unauthenticated attackers to delete arbitrary post meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/06/2025

The CVE-2024-0613 vulnerability affects the Delete Custom Fields plugin for WordPress, representing a critical cross-site request forgery weakness that compromises the integrity of WordPress site administration. This vulnerability exists in all versions up to and including 0.3.1, making it a widespread concern for WordPress users who rely on this plugin for custom field management. The flaw stems from inadequate security validation mechanisms within the plugin's ajax_delete_field() function, which fails to properly verify the authenticity of incoming requests through missing or incorrect nonce validation.

The technical implementation of this vulnerability allows unauthenticated attackers to exploit the lack of proper authentication checks by crafting malicious requests that target the plugin's delete functionality. When a site administrator interacts with a compromised page or clicks on a malicious link, the forged request can execute the delete_field() function without proper authorization. This creates a dangerous scenario where attackers can manipulate post meta data, potentially removing critical information from posts, pages, or custom post types. The vulnerability specifically targets the ajax_delete_field() function which handles the deletion of custom fields, making it particularly dangerous for sites that heavily rely on custom metadata for content organization and presentation.

The operational impact of this vulnerability extends beyond simple data deletion, as it represents a significant threat to site integrity and data availability. Attackers can potentially remove custom fields that contain important content, metadata, or structural information that may be required for proper site functionality. This could lead to broken layouts, missing content, or corrupted site data that requires extensive manual restoration. The unauthenticated nature of the attack means that no prior access to the WordPress admin panel or valid user credentials are required, making it an attractive target for attackers seeking to compromise WordPress installations. The vulnerability also potentially enables further attacks by allowing attackers to manipulate data structures that might be referenced by other plugins or themes, creating cascading effects throughout the site infrastructure.

Security mitigations for CVE-2024-0613 should prioritize immediate plugin updates to versions that address the nonce validation issue, as this represents the most direct solution to the vulnerability. Administrators should also implement additional security measures such as monitoring for unusual deletion activities in their WordPress installations and ensuring that all users have appropriate permissions and that the principle of least privilege is maintained. The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in software applications, and relates to ATT&CK technique T1213.002 for Data from Information Repositories. Organizations should also consider implementing web application firewalls that can detect and block suspicious AJAX requests, and establish regular backup procedures to ensure quick recovery from potential attacks. The broader WordPress security community should also be aware that this vulnerability demonstrates the importance of proper nonce implementation in AJAX-based functions, particularly in plugins that handle sensitive data manipulation operations.

Responsible

Wordfence

Reservation

01/16/2024

Disclosure

05/02/2024

Moderation

accepted

CPE

ready

EPSS

0.00183

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!