The vulnerability is a Cross‑Site Request Forgery (CSRF) flaw in the Janis Elsts Admin Menu Editor plugin for WordPress, identified as CWE‑352. The issue allows an attacker to force an authenticated WordPress user to perform actions within the plugin without the user’s awareness. While the vendor description does not specify the exact actions that could be performed, it is inferred that typical outcomes of a CSRF in this context may include altering menu configurations or changing plugin settings. This inference is based on the nature of CSRF attacks and the fact that the plugin provides administrative capabilities.

All installations of the Admin Menu Editor plugin up to and including version 1.14.1 are vulnerable. The vulnerability is independent of the WordPress core version; it affects any site that has the plugin installed and accessible. The CVE data indicates the affected range is "from n/a through <= 1.14.1." Versions 1.14.2 and later are presumed to address the issue, but site owners should verify the vendor release notes.

The CVSS score of 4.3 indicates a moderate severity. The EPSS score is below 1 %, suggesting a low probability of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is that a malicious site can trigger an unauthorized request while the victim is logged into WordPress with sufficient privileges. No additional preconditions beyond user authentication are specified in the vendor data. The risk assessment therefore relies on the CVSS score and the low EPSS probability, indicating that exploitation is unlikely but still possible if the conditions align.