WP-Safety

Admin Menu Editor Security & Risk Analysis

wordpress.org/plugins/admin-menu-editor

Lets you edit the WordPress admin menu. You can re-order, hide or rename menus, add custom menus and more.

400K active installs v1.15 PHP 7.4+ WP 5.9+ Updated Feb 20, 2026
admindashboardmenusecuritywpmu
96
A · Safe
CVEs total3
Unpatched0
Last CVEMar 10, 2026
Plugin page Download
Safety Verdict

Is Admin Menu Editor Safe to Use in 2026?

Generally Safe

Score 96/100

Admin Menu Editor has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Mar 10, 2026Updated 2mo ago
Risk Assessment

The 'admin-menu-editor' plugin v1.15 exhibits a generally good security posture with a strong emphasis on authentication and authorization mechanisms, evidenced by the lack of unprotected entry points and a substantial number of capability checks. The plugin also demonstrates a good practice of using prepared statements for the majority of its SQL queries and implements output escaping for a significant portion of its outputs. However, the presence of two instances of the `unserialize` function and three taint flows with unsanitized paths are significant concerns, indicating potential risks for arbitrary code execution or data manipulation if these flows are reachable by untrusted input. While the vulnerability history shows no currently unpatched CVEs, the past occurrences of Cross-Site Scripting and CSRF vulnerabilities suggest that improper input handling and authorization bypasses have been issues in the past. The plugin's strengths lie in its robust authentication and authorization implementation, but its weaknesses stem from the direct use of potentially insecure functions and the identified unsanitized data flows, which warrant careful review and mitigation.

Key Concerns

  • Dangerous function: unserialize used
  • Taint flows with unsanitized paths (High severity)
  • Taint flows with unsanitized paths (High severity)
  • Taint flows with unsanitized paths (High severity)
  • 2 out of 10 SQL queries may not use prepared statements
  • 24% of output is not properly escaped
  • Vulnerability history: Past XSS and CSRF issues
Vulnerabilities
3 published

Admin Menu Editor Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2026-32456medium · 4.3Cross-Site Request Forgery (CSRF)

Admin Menu Editor <= 1.14.1 - Cross-Site Request Forgery

Mar 10, 2026 Patched in 1.15 (10d)
CVE-2025-9493medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Admin Menu Editor <= 1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via placeholder Parameter

Sep 5, 2025 Patched in 1.14.1 (1d)
CVE-2024-24876medium · 4.3Cross-Site Request Forgery (CSRF)

Admin Menu Editor <= 1.12 - Cross-Site Request Forgery via ajax_hide_hint()

Feb 5, 2024 Patched in 1.12.1 (73d)
Version History

Admin Menu Editor Release Timeline

v1.15Current116 files changed
v1.14.11 CVE15 files changed
CVE-2026-32456
v1.142 CVEs78 files changed
CVE-2026-32456 CVE-2025-9493
v1.13.12 CVEs4 files changed
CVE-2026-32456 CVE-2025-9493
v1.132 CVEs127 files changed
CVE-2026-32456 CVE-2025-9493
v1.12.42 CVEs25 files changed
CVE-2026-32456 CVE-2025-9493
v1.12.32 CVEs15 files changed
CVE-2026-32456 CVE-2025-9493
v1.12.22 CVEs14 files changed
CVE-2026-32456 CVE-2025-9493
v1.12.12 CVEs31 files changed
CVE-2026-32456 CVE-2025-9493
v1.123 CVEs7 files changed
CVE-2026-32456 CVE-2024-24876 CVE-2025-9493
v1.11.23 CVEs9 files changed
CVE-2026-32456 CVE-2024-24876 CVE-2025-9493
v1.11.13 CVEs67 files changed
CVE-2026-32456 CVE-2024-24876 CVE-2025-9493
v1.113 CVEs164 files changed
CVE-2026-32456 CVE-2024-24876 CVE-2025-9493
v1.10.43 CVEs5 files changed
CVE-2026-32456 CVE-2024-24876 CVE-2025-9493
v1.10.33 CVEs25 files changed
CVE-2026-32456 CVE-2024-24876 CVE-2025-9493
v1.10.23 CVEs41 files changed
CVE-2026-32456 CVE-2024-24876 CVE-2025-9493
v1.10.13 CVEs33 files changed
CVE-2026-32456 CVE-2024-24876 CVE-2025-9493
v1.103 CVEs32 files changed
CVE-2026-32456 CVE-2024-24876 CVE-2025-9493
v1.9.103 CVEs7 files changed
CVE-2026-32456 CVE-2024-24876 CVE-2025-9493
v1.9.93 CVEs
CVE-2026-32456 CVE-2024-24876 CVE-2025-9493
Code Analysis
Analyzed Mar 16, 2026

Admin Menu Editor Code Analysis

Dangerous Functions
2
Raw SQL Queries
2
8 prepared
Unescaped Output
91
293 escaped
Nonce Checks
19
Capability Checks
24
File Operations
4
External Requests
1
Bundled Libraries
2

Dangerous Functions Found

unserialize$value = unserialize(gzuncompress(base64_decode(customizables\Storage\ScopedOptionStorage.php:52
unserialize$this->options = unserialize(gzuncompress(base64_decode(substr($this->options, strlen($prefix)))));includes\shadow_plugin_framework.php:132

Bundled Libraries

TinyMCELodash

SQL Query Safety

80% prepared10 total queries

Output Escaping

76% escaped384 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths
<Action> (includes\ajax-wrapper-v2\src\Action.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Admin Menu Editor Attack Surface

Entry Points8
Unprotected0

AJAX Handlers 5

authwp_ajax_ws_ame_set_test_configurationincludes\access-test-runner.php:27
authwp_ajax_ws_ame_hide_hintincludes\menu-editor-core.php:404
authwp_ajax_ws_ame_disable_dashboard_hiding_confirmationincludes\menu-editor-core.php:405
authwp_ajax_ws_ame_get_pagesincludes\menu-editor-core.php:411
authwp_ajax_ws_ame_get_page_detailsincludes\menu-editor-core.php:413

Shortcodes 3

[ame-wp-admin] includes\shortcodes.php:20
[ame-home-url] includes\shortcodes.php:21
[ame-user-info] includes\shortcodes.php:22
WordPress Hooks 87
actionwp_loadedajax-wrapper\AjaxWrapper.php:158
filterscript_loader_tagajax-wrapper\AjaxWrapper.php:413
actionadmin_print_footer_scriptscustomizables\Rendering\TabbedPanelRenderer.php:130
filteradmin_menu_editor-script_dataincludes\access-test-runner.php:25
actionset_current_userincludes\access-test-runner.php:28
actionadmin_print_scriptsincludes\access-test-runner.php:126
filterwp_die_handlerincludes\access-test-runner.php:127
actionadmin_noticesincludes\admin-menu-editor-mu.php:35
actionadmin_print_scriptsincludes\ajax-wrapper-v2\src\Action.php:334
actionbbp_roles_initincludes\bbpress-role-override.php:10
actionbbp_roles_initincludes\bbpress-role-override.php:38
filterplugins_urlincludes\consistency-check.php:107
filterplugins_urlincludes\consistency-check.php:108
actionadmin_enqueue_scriptsincludes\menu-editor-core.php:420
actionadmin_enqueue_scriptsincludes\menu-editor-core.php:423
actionadmin_print_stylesincludes\menu-editor-core.php:424
actionadmin_print_scriptsincludes\menu-editor-core.php:427
actionadmin_noticesincludes\menu-editor-core.php:430
actionall_admin_noticesincludes\menu-editor-core.php:433
actionwp_loginincludes\menu-editor-core.php:436
filteruser_has_capincludes\menu-editor-core.php:439
filteruser_has_capincludes\menu-editor-core.php:440
filtermap_meta_capincludes\menu-editor-core.php:441
actionset_current_userincludes\menu-editor-core.php:444
actionupdated_user_metaincludes\menu-editor-core.php:446
actiondeleted_user_metaincludes\menu-editor-core.php:447
actionswitch_blogincludes\menu-editor-core.php:452
filterplugin_row_metaincludes\menu-editor-core.php:473
actionadmin_menu_editor-display_tabsincludes\menu-editor-core.php:476
actionadmin_menu_editor-display_headerincludes\menu-editor-core.php:477
actionadmin_menu_editor-display_footerincludes\menu-editor-core.php:478
actionadmin_noticesincludes\menu-editor-core.php:521
actionplugins_loadedincludes\menu-editor-core.php:536
actionadminmenuincludes\menu-editor-core.php:795
actionin_admin_headerincludes\menu-editor-core.php:800
actionin_admin_headerincludes\menu-editor-core.php:801
actionadmin_menu_editor-register_hideable_itemsincludes\menu-editor-core.php:807
filteradmin_menu_editor-save_hideable_items-admin-menuincludes\menu-editor-core.php:814
actionall_admin_noticesincludes\menu-editor-core.php:1716
filtermailpoet_conflict_resolver_whitelist_styleincludes\menu-editor-core.php:4762
actionswitch_blogincludes\menu-item.php:759
actionadmin_menu_editor-register_scriptsincludes\module.php:41
filteradmin_menu_editor-base_scriptsincludes\module.php:42
actionadmin_menu_editor-tabsincludes\module.php:46
filterplugin_action_linksincludes\shadow_plugin_framework.php:101
actionadmin_noticesincludes\version-conflict-check.php:21
filterscript_loader_tagincludes\wp-dependency-wrapper\ScriptDependency.php:295
filteradmin_menu_editor-base_scriptsmodules\actor-selector\actor-selector.php:11
filteradmin_menu_editor-users_to_loadmodules\actor-selector\actor-selector.php:13
actionregistered_post_typemodules\content-permissions\content-permissions.php:55
actionadmin_menu_editor-settings_page_extramodules\content-permissions\content-permissions.php:60
actionadmin_menu_editor-settings_changedmodules\content-permissions\content-permissions.php:61
actionregistered_post_typemodules\content-permissions\content-permissions.php:366
actionmap_meta_capmodules\content-permissions\content-permissions.php:386
actionwp_loadedmodules\content-permissions\content-permissions.php:388
filterthe_contentmodules\content-permissions\content-permissions.php:491
filterget_the_excerptmodules\content-permissions\content-permissions.php:492
filterthe_content_feedmodules\content-permissions\content-permissions.php:493
filtercomments_templatemodules\content-permissions\content-permissions.php:496
filterget_comment_textmodules\content-permissions\content-permissions.php:499
filterthe_postsmodules\content-permissions\content-permissions.php:557
filterposts_clausesmodules\content-permissions\content-permissions.php:885
filterquerymodules\content-permissions\content-permissions.php:892
filterget_next_post_wheremodules\content-permissions\content-permissions.php:1043
filterget_previous_post_wheremodules\content-permissions\content-permissions.php:1044
filteruser_has_capmodules\content-permissions\content-permissions.php:1107
actionadd_meta_boxesmodules\content-permissions\editor-ui.php:81
actionsave_postmodules\content-permissions\editor-ui.php:82
actionadmin_enqueue_scriptsmodules\content-permissions\editor-ui.php:90
actionadmin_enqueue_scriptsmodules\content-permissions\editor-ui.php:115
actiondeleted_postmodules\content-permissions\policy.php:252
actionadmin_menu_editor-menu_replacedmodules\highlight-new-menus\wsNewMenuHighlighter.php:80
actionadmin_menu_editor-menu_replacement_skippedmodules\highlight-new-menus\wsNewMenuHighlighter.php:81
actionadmin_menumodules\highlight-new-menus\wsNewMenuHighlighter.php:83
actionadmin_enqueue_scriptsmodules\highlight-new-menus\wsNewMenuHighlighter.php:86
actionadmin_initmodules\highlight-new-menus\wsNewMenuHighlighter.php:89
filterall_pluginsmodules\plugin-visibility\plugin-visibility.php:67
filtersite_transient_update_pluginsmodules\plugin-visibility\plugin-visibility.php:70
actioncheck_admin_referermodules\plugin-visibility\plugin-visibility.php:75
filtereditable_extensionsmodules\plugin-visibility\plugin-visibility.php:80
actionadmin_menu_editor-headermodules\plugin-visibility\plugin-visibility.php:83
actionadmin_noticesmodules\plugin-visibility\plugin-visibility.php:86
filterlogin_redirectmodules\redirector\redirector.php:65
filterlogout_redirectmodules\redirector\redirector.php:67
filterregistration_redirectmodules\redirector\redirector.php:69
filteradmin_menu_editor-redirected_usermodules\redirector\redirector.php:73
filterallowed_redirect_hostsmodules\redirector\redirector.php:226
Maintenance & Trust

Admin Menu Editor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 20, 2026
PHP min version7.4
Downloads7.8M

Community Trust

Rating92/100
Number of ratings311
Active installs400K
Alternatives

Admin Menu Editor Alternatives

BTN Admin Restrictor

BTN Admin Restrictor

btn-admin-restrictor

A
100

Dynamically restrict access to dashboard menus for specific Admin users without changing their roles.

0 No CVEs
Dashboard Menu Visibility

Dashboard Menu Visibility

dashboard-menu-visibility

A
100

Choose which top-level WordPress admin menu items are visible, with checkbox controls in Settings.

0 No CVEs
Ultimate Dashboard – Custom WordPress Dashboard

Ultimate Dashboard – Custom WordPress Dashboard

ultimate-dashboard

A
95

The #1 Plugin to Customize the WordPress Dashboard!

60K 9 CVEs
AGCA – Custom Dashboard & Login Page

AGCA – Custom Dashboard & Login Page

ag-custom-admin

A
99

CHANGE: admin menu, login page, admin bar, dashboard widgets, custom colors, custom CSS & JS, logo & images

20K 5 CVEs
WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer

WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer

adminify

A
95

Transform your WordPress admin into a fully white-labeled, organized client dashboard. Customize, Dark mode, Secure, Boost productivity, and more.

7K 7 CVEs
Developer Profile

Admin Menu Editor Developer Profile

Janis Elsts

8 plugins · 431K total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
469 days
View full developer profile
Detection Fingerprints

How We Detect Admin Menu Editor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/admin-menu-editor/css/style.css/wp-content/plugins/admin-menu-editor/css/color-picker.css/wp-content/plugins/admin-menu-editor/js/color-picker.js/wp-content/plugins/admin-menu-editor/js/menu-editor.js/wp-content/plugins/admin-menu-editor/js/customizable-manager.js/wp-content/plugins/admin-menu-editor/js/ame-editor-dependencies.js/wp-content/plugins/admin-menu-editor/js/utils.js/wp-content/plugins/admin-menu-editor/js/customizable-settings.js+15 more
Script Paths
/wp-content/plugins/admin-menu-editor/js/menu-editor.js/wp-content/plugins/admin-menu-editor/js/color-picker.js/wp-content/plugins/admin-menu-editor/js/customizable-manager.js/wp-content/plugins/admin-menu-editor/js/customizable-settings.js/wp-content/plugins/admin-menu-editor/js/customizable-controls.js/wp-content/plugins/admin-menu-editor/js/utils.js+4 more
Version Parameters
admin-menu-editor/css/style.css?ver=admin-menu-editor/js/menu-editor.js?ver=admin-menu-editor/js/color-picker.js?ver=admin-menu-editor/js/customizable-manager.js?ver=admin-menu-editor/js/customizable-settings.js?ver=admin-menu-editor/js/customizable-controls.js?ver=admin-menu-editor/js/utils.js?ver=admin-menu-editor/js/ame-editor-dependencies.js?ver=admin-menu-editor/js/admin-menu-editor-pro.js?ver=admin-menu-editor/js/welcome-screen.js?ver=admin-menu-editor/modules/highlight-new-menus/highlight-new-menus.js?ver=

HTML / DOM Fingerprints

CSS Classes
ame-form-boxame-form-box-main-columname-form-box-sidebar-columname-form-box-headerame-form-box-titleame-form-box-contentame-form-box-groupame-form-box-group-title+5 more
HTML Comments
This plugin may include third-party libraries and other content that is licensed under various GPL-compatible licenses. In such cases, the relevant license will usually be stated at the top of the source code file or in "readme.txt", "license.txt" or a similar file located in the same directory as the content.To install Admin Menu Editor as a global plugin in WPMU :Place the "admin-menu-editor" directory into your "mu-plugins" directory.Move this file, admin-menu-editor-mu.php, from the "admin-menu-editor" directory+6 more
Data Attributes
data-ame-setting-iddata-bindameObservableChangeEvents
JS Globals
ws_menu_editorameObservableChangeEventsameLicensingUiwsNewMenuHighlighterwpColorPicker
FAQ

Frequently Asked Questions about Admin Menu Editor