Skip to main content

Admin Menu Editor EUVDEUVD-2026-12011

| CVE-2026-32456 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-03-13 Patchstack
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-12011
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 4.3

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin Menu Editor admin-menu-editor allows Cross Site Request Forgery.This issue affects Admin Menu Editor: from n/a through <= 1.14.1.

AnalysisAI

A Cross-Site Request Forgery (CSRF) vulnerability exists in Janis Elsts Admin Menu Editor plugin for WordPress, affecting versions up to and including 1.14.1. An attacker can forge requests to modify administrator menu configurations without explicit consent, potentially leading to unauthorized changes to the WordPress admin interface. The vulnerability has a CVSS score of 4.3 (Low-Medium severity) and requires user interaction (UI:R) but can be exploited by an unauthenticated attacker over the network.

Technical ContextAI

This vulnerability is rooted in CWE-352 (Cross-Site Request Forgery), a class of web application security flaw where an attacker tricks an authenticated user into performing unintended actions on a target application. The Admin Menu Editor plugin (CPE: cpe:2.3:a:janis_elsts:admin-menu-editor) is a WordPress administration tool that allows customization of the WordPress admin menu structure. The CSRF flaw indicates the plugin fails to implement or properly validate nonce tokens or same-site cookie protections when processing administrative menu modification requests. This allows an attacker to craft malicious HTML or JavaScript that, when visited by an authenticated WordPress administrator, executes state-changing operations such as hiding menu items, reordering menus, or altering administrative visibility without the administrator's knowledge or consent.

RemediationAI

Immediately upgrade Admin Menu Editor to a patched version later than 1.14.1 (consult the plugin repository or vendor site for the latest stable release). Until an update is available or deployable, implement the following mitigations: enforce the use of security plugins that add CSRF token validation (e.g., Wordfence, Sucuri), educate administrators to avoid visiting untrusted websites while logged into WordPress, and consider restricting WordPress admin access (wp-admin) to specific IP ranges or behind a Web Application Firewall (WAF) with CSRF protections. Additionally, review and harden WordPress security by enabling strong authentication (two-factor authentication via plugins like Duo or Google Authenticator) and audit recent menu modifications for unauthorized changes.

Share

EUVD-2026-12011 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy