Skip to main content

User Admin Simplifier CVE-2026-11775

| EUVDEUVD-2026-37974 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-19 Wordfence GHSA-x7qw-qpv3-vwj5
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-delivered CSRF with mandatory admin interaction (UI:R, PR:N) and impact limited to plugin configuration integrity (I:L); no confidentiality or availability impact applies.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 03:16 vuln.today
CVE Published
Jun 19, 2026 - 02:29 cve.org
MEDIUM 4.3

DescriptionCVE.org

The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user's stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AnalysisAI

Cross-Site Request Forgery in the User Admin Simplifier WordPress plugin (all versions up to and including 3.0.0) enables unauthenticated remote attackers to permanently delete any user's stored admin menu and admin-bar configuration by tricking a logged-in site administrator into submitting a forged request. The flaw exists because the useradminsimplifier_options_page function performs no valid nonce check before invoking uas_save_admin_options(), which unconditionally overwrites the useradminsimplifier_options database entry. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft forged admin request targeting useradminsimplifier_options_page
Delivery
Deliver malicious link via phishing or on-site comment
Exploit
Authenticated administrator clicks link
Install
Browser submits request with valid session cookie
C2
Missing nonce validation bypassed server-side
Execute
uas_save_admin_options() invoked
Impact
useradminsimplifier_options database entry permanently overwritten

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete conditions: (1) the User Admin Simplifier plugin version 3.0.0 or earlier must be installed and active on the target WordPress site; (2) a WordPress site administrator must be authenticated (actively logged in) at the time the forged request is received - the session cookie must be valid; and (3) the administrator must be socially engineered into clicking a malicious link or visiting an attacker-controlled page that silently submits the forged request, as confirmed by the CVSS UI:R metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a webpage containing a hidden HTML form that auto-submits a POST request to the target WordPress site's admin endpoint for `useradminsimplifier_options_page`, then delivers a link to that page via email or a comment to a site administrator. When the authenticated administrator visits the page, their browser automatically includes their session cookie, the server skips nonce validation, invokes `uas_save_admin_options()`, and permanently overwrites the `useradminsimplifier_options` database entry - deleting stored menu and toolbar configurations for targeted users. …
Remediation A patch is available via the WordPress plugin repository changeset (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3566637%40user-admin-simplifier&new=3566637%40user-admin-simplifier&sfp_email=&sfph_mail=), however the specific released version number containing the fix is not confirmed in the available intelligence data - administrators should update User Admin Simplifier to the latest version available in the WordPress plugin dashboard and verify the installed version exceeds 3.0.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11775 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy