Description
The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user's stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-06-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The User Admin Simplifier plugin contains a missing or incorrect nonce validation in its options page logic. This flaw allows an unauthenticated attacker to submit a forged request, triggering the uas_save_admin_options() routine and overwriting the stored menu and admin‑bar configuration for any user. The vulnerability is a classic Cross‑Site Request Forgery, categorized under CWE‑352, and enables attackers to reset and permanently delete the targeted user's interface settings.

Affected Systems

The flaw exists in all releases of the WordPress plugin User Admin Simplifier up through version 3.0.0. Users running any of these versions are vulnerable until the plugin is updated to a version that addresses the CSRF issue.

Risk and Exploitability

The CVSS score for this vulnerability is 4.3, indicating a medium impact. The EPSS score is currently unavailable, and the flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to trick a site administrator into visiting a crafted link or embedding the forged request, after which the administrator’s session will be used to reset or delete their configuration. Because the attack can be performed without auth and the effect is limited to configuration settings, the overall risk remains moderate but should still be addressed promptly.

Generated by OpenCVE AI on June 19, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the User Admin Simplifier plugin to the latest release that includes CSRF protection (versions 3.0.1 and newer if available).
  • If an immediate upgrade is not possible, temporarily deactivate the plugin or restrict its availability to Administrator users only.
  • Configure a Web Application Firewall to block POST requests to the plugin’s save endpoint that lack a valid nonce, thereby preventing forged CSRF attempts.

Generated by OpenCVE AI on June 19, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Adamsilverstein
Adamsilverstein user Admin Simplifier
Wordpress
Wordpress wordpress
Vendors & Products Adamsilverstein
Adamsilverstein user Admin Simplifier
Wordpress
Wordpress wordpress

Fri, 19 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Description The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user's stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title User Admin Simplifier <= 3.0.0 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}


Subscriptions

Adamsilverstein User Admin Simplifier
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-22T17:15:40.027Z

Reserved: 2026-06-09T11:58:37.369Z

Link: CVE-2026-11775

cve-icon Vulnrichment

Updated: 2026-06-22T15:43:53.406Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:36:31Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)