Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin Menu Editor admin-menu-editor allows Cross Site Request Forgery.This issue affects Admin Menu Editor: from n/a through <= 1.14.1.
AnalysisAI
A Cross-Site Request Forgery (CSRF) vulnerability exists in Janis Elsts Admin Menu Editor plugin for WordPress, affecting versions up to and including 1.14.1. An attacker can forge requests to modify administrator menu configurations without explicit consent, potentially leading to unauthorized changes to the WordPress admin interface. The vulnerability has a CVSS score of 4.3 (Low-Medium severity) and requires user interaction (UI:R) but can be exploited by an unauthenticated attacker over the network.
Technical ContextAI
This vulnerability is rooted in CWE-352 (Cross-Site Request Forgery), a class of web application security flaw where an attacker tricks an authenticated user into performing unintended actions on a target application. The Admin Menu Editor plugin (CPE: cpe:2.3:a:janis_elsts:admin-menu-editor) is a WordPress administration tool that allows customization of the WordPress admin menu structure. The CSRF flaw indicates the plugin fails to implement or properly validate nonce tokens or same-site cookie protections when processing administrative menu modification requests. This allows an attacker to craft malicious HTML or JavaScript that, when visited by an authenticated WordPress administrator, executes state-changing operations such as hiding menu items, reordering menus, or altering administrative visibility without the administrator's knowledge or consent.
RemediationAI
Immediately upgrade Admin Menu Editor to a patched version later than 1.14.1 (consult the plugin repository or vendor site for the latest stable release). Until an update is available or deployable, implement the following mitigations: enforce the use of security plugins that add CSRF token validation (e.g., Wordfence, Sucuri), educate administrators to avoid visiting untrusted websites while logged into WordPress, and consider restricting WordPress admin access (wp-admin) to specific IP ranges or behind a Web Application Firewall (WAF) with CSRF protections. Additionally, review and harden WordPress security by enabling strong authentication (two-factor authentication via plugins like Duo or Google Authenticator) and audit recent menu modifications for unauthorized changes.
More in Admin Menu Editor
View allThe Admin Menu Editor WordPress plugin through 1.0.4 does not sanitize and escape a parameter before outputting it back
Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin Menu Editor.12. Rated medium severity (CVSS 4.3), t
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12011