[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fbmxVrI2Wkf0eiE4a4y-OBvAuri2GDUaixaBOUS43gOM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":9,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":38},"CVE-2026-32456","admin-menu-editor-cross-site-request-forgery","Admin Menu Editor \u003C= 1.14.1 - Cross-Site Request Forgery","The Admin Menu Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.14.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.","admin-menu-editor",null,"\u003C=1.14.1","1.15","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-03-10 00:00:00","2026-03-19 15:56:50",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F13c969f3-55d7-4a05-aec8-460bb6faf9da?source=api-prod",10,[22,23,24,25,26,27],"css\u002F_ui-constants.scss","css\u002Fmenu-editor.css","css\u002Fmenu-editor.css.map","css\u002Fmenu-editor.scss","customizables\u002FBuilders\u002FBaseElementBuilder.php","customizables\u002FBuilders\u002FContainerBuilder.php","researched",false,3,"This research plan outlines the steps to verify the Cross-Site Request Forgery (CSRF) vulnerability in the **Admin Menu Editor** plugin (\u003C= 1.14.1).\n\n## 1. Vulnerability Summary\nThe **Admin Menu Editor** plugin is vulnerable to CSRF because it fails to perform adequate nonce validation when saving the admin menu configuration. An attacker can trick a logged-in administrator into submitting a malicious POST request that overwrites the entire WordPress admin menu structure. This can be used to hide security settings, rename menu items to mislead administrators, or lock users out of specific admin areas.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Foptions-general.php?page=menu_editor` (Legacy) or `wp-admin\u002Fadmin-ajax.php` (Modern).\n- **Action:** The plugin typically uses a POST request to the settings page itself or an AJAX action named `ws_ame_save_menu` (inferred from plugin history).\n- **Vulnerable Parameters:** `data` (A JSON-encoded string representing the new menu structure), `data_hash`, and `selected_actor`.\n- **Authentication Level:** Unauthenticated (Attacker-side), but requires an authenticated Administrator to trigger the request via CSRF.\n- **Preconditions:** The target administrator must have the `manage_options` capability and be tricked into visiting a malicious page while logged into the WordPress dashboard.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers its menu page via `add_options_page` in a class (likely `ameMenuEditor`).\n2. **Request Handling:** The function responsible for rendering the editor also checks for POST requests (e.g., `if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['data']))`).\n3. **Vulnerability:** The code likely checks for capabilities (`current_user_can('manage_options')`) but misses `check_admin_referer()` or `check_ajax_referer()`.\n4. **Data Processing:** The `data` parameter is decoded and used to update the `ws_menu_editor` option in the database.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, nonce validation is \"missing or incorrect.\" If a nonce is required but uses a weak\u002Fdefault action, we can extract it.\n\n1. **Identify Script Localization:** The plugin enqueues its editor script and localizes data.\n2. **Execution Agent Steps:**\n   - Navigate to the editor page: `browser_navigate(\"\u002Fwp-admin\u002Foptions-general.php?page=menu_editor\")`\n   - Search for localized variables in the page source. Common candidates: `wsMenuEditorData` or `ameEditorData`.\n   - Use `browser_eval` to extract the nonce:\n     ```javascript\n     \u002F\u002F Try common locations for AME nonces\n     window.wsMenuEditorData?.nonce || window.ameEditorData?.nonce || \"missing\"\n     ```\n   - If `browser_eval` returns \"missing\" and the save request works without a `_wpnonce` or `security` parameter, the nonce check is entirely absent.\n\n## 5. Exploitation Strategy\nWe will simulate a CSRF attack by crafting a POST request that hides the \"Plugins\" menu.\n\n### Step-by-Step Plan:\n1. **Identify current menu structure:** First, we need a valid JSON payload. We will navigate to the menu editor as an admin and extract the current configuration.\n2. **Craft Malicious Payload:** Modify the JSON to set the `hidden` property to `true` for the `plugins-php` item.\n3. **Trigger CSRF:** Use `http_request` to send a POST request as the administrator (simulating the forged request).\n\n### HTTP Request Payload:\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions-general.php?page=menu_editor`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body Parameters:**\n  - `action`: `save_menu` (or simply the POST target)\n  - `data`: `[{\"menu_title\":\"Dashboard\",...},{\"menu_title\":\"Plugins\",\"file\":\"plugins.php\",\"is_hidden\":true,...}]` (URL-encoded JSON)\n  - `data_hash`: (If required, can be bypassed or pre-calculated)\n  - `_wpnonce`: (Only if identified in step 4, otherwise omit)\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure Admin Menu Editor v1.14.1 is installed and active.\n2. **Verify Access:** Ensure the admin can see the \"Plugins\" menu normally.\n3. **Shortcode\u002FPage:** No specific shortcodes are needed as the vulnerability resides in the admin-facing editor page.\n\n## 7. Expected Results\n- The server should respond with a 302 redirect back to the menu editor page or a 200 OK (if AJAX).\n- The `ws_menu_editor` option in the database will be updated.\n- The \"Plugins\" menu item will disappear from the WordPress admin sidebar for all users (or the targeted actor).\n\n## 8. Verification Steps\n1. **Database Check:**\n   ```bash\n   wp option get ws_menu_editor\n   ```\n   Check if the JSON contains `\"is_hidden\":true` for the plugins entry.\n2. **UI Check:**\n   Navigate to the dashboard and verify the \"Plugins\" link is missing from the sidebar.\n   ```bash\n   wp plugin list --status=active\n   ```\n   (The plugin will still be active, but invisible in the UI).\n\n## 9. Alternative Approaches\nIf the POST to `options-general.php` fails:\n1. **AJAX Route:** Check for an AJAX handler `ws_ame_save_menu`. Send the payload to `\u002Fwp-admin\u002Fadmin-ajax.php` with `action=ws_ame_save_menu`.\n2. **Incorrect Nonce:** If a nonce is present but \"incorrect,\" try using a nonce generated for a different action (e.g., `-1`) to see if it's accepted.\n3. **Actor Targeting:** Target a specific role (e.g., `editor`) by setting the `selected_actor` parameter to `role:editor` in the POST request to restrict their access while leaving the admin's view intact (stealthier attack).","The Admin Menu Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.14.1 due to missing or incorrect nonce validation when saving menu configurations. This allows unauthenticated attackers to overwrite the admin menu structure, hide menu items, or rename sections by tricking a logged-in administrator into performing an action like clicking a malicious link.","Only in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadmin-menu-editor\u002F1.15\u002Fcss: _collections.scss\nOnly in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadmin-menu-editor\u002F1.15\u002Fcss: _dialogs.scss\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadmin-menu-editor\u002F1.14.1\u002Fcss\u002Fmenu-editor.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadmin-menu-editor\u002F1.15\u002Fcss\u002Fmenu-editor.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadmin-menu-editor\u002F1.14.1\u002Fcss\u002Fmenu-editor.css\t2025-07-29 11:11:42.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadmin-menu-editor\u002F1.15\u002Fcss\u002Fmenu-editor.css\t2025-12-07 16:46:24.000000000 +0000\n@@ -1084,6 +1084,27 @@\n   z-index: 10000;\n }\n \n+\u002F*\n+Standard WordPress admin colors.\n+\n+Announcement post:\n+https:\u002F\u002Fmake.wordpress.org\u002Fcore\u002F2021\u002F02\u002F23\u002Fstandardization-of-wp-admin-colors-in-wordpress-5-7\u002F\n+\n+Source:\n+https:\u002F\u002Fcodepen.io\u002Fryelle\u002Fpen\u002FWNGVEjw\n+\n+A \"wp\" prefix has been added to avoid name conflicts with other code in this plugin.\n+ *\u002F\n+.ui-dialog .ui-dialog-buttonpane {\n+  background-color: #fcfcfc;\n+  border-top: 1px solid #dcdcde;\n+  padding: 8px;\n+  text-align: right;\n+}\n+.ui-dialog .ui-dialog-buttonpane .button-primary, .ui-dialog .ui-dialog-buttonpane .ame-dialog-confirm-button {\n+  float: left;\n+}\n+\n .settings_page_menu_editor .ui-dialog {\n   background: white;\n   border: 1px solid #c0c0c0;\n@@ -1882,6 +1903,29 @@\n \u002F*********************************************\n       Miscellaneous\n **********************************************\u002F\n+#ws_ame_general_vis_box input[type=checkbox]:indeterminate:before {\n+  content: \"■\";\n+  color: #1e8cbe;\n+  margin: -3px 0 0 -1px;\n+  font: 400 14px\u002F1 dashicons;\n+  float: left;\n+  display: inline-block;\n+  vertical-align: middle;\n+  width: 16px;\n+  -webkit-font-smoothing: antialiased;\n+}\n+@media screen and (max-width: 782px) {\n+  #ws_ame_general_vis_box input[type=checkbox]:indeterminate:before {\n+    height: 1.5625rem;\n+    width: 1.5625rem;\n+    line-height: 1.5625rem;\n+    margin: -1px;\n+    font-size: 18px;\n+    font-family: unset;\n+    font-weight: normal;\n+  }\n+}\n+\n #ws_sidebar_pro_ad {\n   min-width: 225px;\n   max-width: 300px;\n... (truncated)","The exploit targets the admin menu save functionality by forging a POST request. An attacker crafts a payload where the 'data' parameter contains a JSON-encoded string representing a modified admin menu structure (e.g., setting 'is_hidden' to true for the Plugins menu). This request is sent to the plugin's settings page (wp-admin\u002Foptions-general.php?page=menu_editor) or via a specific AJAX action (ws_ame_save_menu). To execute the attack, the attacker tricks a logged-in administrator with 'manage_options' capabilities into visiting a malicious site or clicking a link that triggers the POST request via the victim's browser, bypassing the missing nonce check.","gemini-3-flash-preview","2026-04-18 05:05:13","2026-04-18 05:06:02",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","1.14.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadmin-menu-editor\u002Ftags\u002F1.14.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadmin-menu-editor.1.14.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadmin-menu-editor\u002Ftags\u002F1.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadmin-menu-editor.1.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadmin-menu-editor\u002Ftags"]