Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in WP Media Adminimize allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Adminimize: from n/a through 1.11.11.
AnalysisAI
Missing authorization in the Adminimize WordPress plugin (versions through 1.11.11) allows authenticated low-privileged users to exploit incorrectly configured access control security levels, resulting in unauthorized read access to restricted information. The flaw, classified under CWE-862, was discovered by Patchstack's audit team and affects the plugin's role-based admin interface customization logic. No public exploit or active exploitation has been identified at time of analysis, and SSVC assessment rates exploitation as none with only partial technical impact.
Technical ContextAI
Adminimize is a WordPress admin interface customization plugin developed by WP Media that allows administrators to hide or show menu items and interface elements based on user roles and capabilities. CWE-862 (Missing Authorization) indicates the plugin fails to perform an authorization check before executing a sensitive operation - meaning the code does not verify whether the requesting user holds the required capability or role before granting access to functionality gated by access control levels. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the flaw is reachable over the network by any authenticated WordPress user, with no special attack complexity. Affected versions span all releases up to and including 1.11.11 per ENISA EUVD-2026-32536 and NVD data.
RemediationAI
No specific patched version number is identified in the available intelligence data - patch availability should be verified directly via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/adminimize/vulnerability/wordpress-adminimize-plugin-1-11-11-broken-access-control-vulnerability and the WordPress plugin repository for any release beyond 1.11.11. If a patched version is available, upgrade immediately. As a compensating control where upgrading is not immediately possible, restrict WordPress user roles so that untrusted low-privileged accounts (subscribers, contributors) cannot access wp-admin entirely, which removes the authenticated attack surface. Alternatively, deactivate the Adminimize plugin until patching is confirmed - note this will restore default WordPress admin menu visibility for all roles, which may be an acceptable trade-off given the plugin's cosmetic function. Monitoring wp-admin access logs for low-privileged accounts accessing Adminimize configuration endpoints can serve as a detection measure.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32536
GHSA-8g9r-287c-mcw4