Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Remove meta boxes per user role plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.01. This is due to missing or incorrect nonce validation on the 'remove-meta-boxes-per-user-role' page. This makes it possible for unauthenticated attackers to modify or reset the plugin's per-role meta box visibility settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AnalysisAI
Cross-Site Request Forgery in the Remove Meta Boxes Per User Role WordPress plugin (all versions ≤1.01) enables unauthenticated remote attackers to modify or reset per-role admin dashboard meta box visibility settings by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from absent or incorrect nonce validation on the plugin's settings page, which is the standard WordPress anti-CSRF mechanism. No public exploit has been identified and the issue is not listed in CISA KEV; real-world impact is limited to low-integrity administrative configuration tampering.
Technical ContextAI
The plugin (CPE: cpe:2.3:a:mr_mat:remove_meta_boxes_per_user_role:*:*:*:*:*:*:*:*) provides WordPress administrators the ability to control which meta boxes are displayed on the dashboard per user role. CWE-352 (Cross-Site Request Forgery) arises because the 'remove-meta-boxes-per-user-role' settings handler in admin_pages/settings.php (lines 23 and 26) and the main plugin entrypoint remove-meta-boxes-per-role.php (line 52) do not call wp_verify_nonce() or equivalent nonce checking before processing state-changing requests. WordPress nonces are single-use cryptographic tokens embedded in legitimate admin forms that prevent forged cross-origin requests; their absence means the application cannot distinguish a genuine administrator action from one crafted by an attacker. Because browsers automatically include session cookies on any matching request, a forged request from a malicious page is processed identically to a legitimate one.
RemediationAI
No vendor-released patched version is confirmed in the available data; administrators should monitor the plugin's WordPress SVN repository at https://plugins.trac.wordpress.org/browser/remove-meta-boxes-per-user-role/ for an updated release that introduces wp_verify_nonce() validation on the settings page handler. As an immediate compensating control, consider deactivating or uninstalling the plugin until a fix is released - the trade-off is loss of per-role meta box visibility customization, which is a low-criticality administrative feature. Restricting WordPress admin access (/wp-admin/) to trusted IP ranges via server or WAF rules will reduce the attack surface for all CSRF-dependent attacks, at the cost of reduced remote administrative flexibility. Training administrators to be cautious about clicking unsolicited links while authenticated to WordPress admin is an additional low-overhead mitigation. For the upstream fix, the vendor must add nonce creation (wp_nonce_field()) to the settings form and nonce verification (check_admin_referer()) to the request handler at the referenced source lines.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33898
GHSA-fv5f-r3j5-3jxv