Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Network-delivered CSRF with mandatory admin interaction (UI:R, PR:N) and impact limited to plugin configuration integrity (I:L); no confidentiality or availability impact applies.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user's stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AnalysisAI
Cross-Site Request Forgery in the User Admin Simplifier WordPress plugin (all versions up to and including 3.0.0) enables unauthenticated remote attackers to permanently delete any user's stored admin menu and admin-bar configuration by tricking a logged-in site administrator into submitting a forged request. The flaw exists because the useradminsimplifier_options_page function performs no valid nonce check before invoking uas_save_admin_options(), which unconditionally overwrites the useradminsimplifier_options database entry. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concrete conditions: (1) the User Admin Simplifier plugin version 3.0.0 or earlier must be installed and active on the target WordPress site; (2) a WordPress site administrator must be authenticated (actively logged in) at the time the forged request is received - the session cookie must be valid; and (3) the administrator must be socially engineered into clicking a malicious link or visiting an attacker-controlled page that silently submits the forged request, as confirmed by the CVSS UI:R metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 (Medium) is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a webpage containing a hidden HTML form that auto-submits a POST request to the target WordPress site's admin endpoint for `useradminsimplifier_options_page`, then delivers a link to that page via email or a comment to a site administrator. When the authenticated administrator visits the page, their browser automatically includes their session cookie, the server skips nonce validation, invokes `uas_save_admin_options()`, and permanently overwrites the `useradminsimplifier_options` database entry - deleting stored menu and toolbar configurations for targeted users. … |
| Remediation | A patch is available via the WordPress plugin repository changeset (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3566637%40user-admin-simplifier&new=3566637%40user-admin-simplifier&sfp_email=&sfph_mail=), however the specific released version number containing the fix is not confirmed in the available intelligence data - administrators should update User Admin Simplifier to the latest version available in the WordPress plugin dashboard and verify the installed version exceeds 3.0.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37974
GHSA-x7qw-qpv3-vwj5