Cross‑Site Request Forgery in the Required Admin Menu Manager plugin enables an attacker to force an authenticated WordPress user to execute actions hosted by the plugin. Based on the description, it is inferred that the attacker needs a victim with an active authenticated WordPress session to exploit this flaw. Because the flaw allows the attacker to submit forged requests that are accepted by the plugin without prompting the user, unintended menu configurations or other administrative changes can be made. The sole weakness underlying the issue is a missing protection against CSRF, identified as CWE‑352.

All releases of the WordPress Admin Menu Manager plugin up to and including 1.0.3 are vulnerable. Users running any version 1.0.3 or earlier should consider those installations affected.

The vulnerability’s CVSS score of 4.3 indicates a moderate risk level. EPSS indicates a very low probability of exploitation in the wild; the issue is not presently listed in CISA’s KEV catalog. Based on the description, it is inferred that exploitation requires an authenticated WordPress session, meaning the attacker typically needs to entice the victim to click a malicious link or send a forged request from a compromised domain. Once the authenticated session is tricked, the attacker can change menu settings or otherwise alter the plugin’s configuration.