CVE-2026-49045

Adminimize <= 1.11.11 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.11.12
Patched in
13d
Time to patch

Description

The Adminimize plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.11.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.11.11
PublishedMay 27, 2026
Last updatedJune 8, 2026
Affected pluginadminimize
Research Plan
Unverified

This research plan outlines the steps to identify and exploit the Missing Authorization vulnerability (CVE-2026-49045) in the Adminimize plugin (<= 1.11.11). ## 1. Vulnerability Summary The **Adminimize** plugin for WordPress is vulnerable to missing authorization due to the lack of capability chec…

Show full research plan

This research plan outlines the steps to identify and exploit the Missing Authorization vulnerability (CVE-2026-49045) in the Adminimize plugin (<= 1.11.11).

1. Vulnerability Summary

The Adminimize plugin for WordPress is vulnerable to missing authorization due to the lack of capability checks on functions registered via admin_init or wp_ajax_ hooks. Specifically, while the plugin may use nonces for CSRF protection, it fails to verify that the authenticated user possesses the manage_options capability before performing sensitive configuration changes. This allows any authenticated user (including Subscribers) to modify plugin settings, potentially disabling security restrictions or altering the admin interface for other users.

2. Attack Vector Analysis

  • Endpoint: wp-admin/index.php (via admin_init hook) or wp-admin/admin-ajax.php.
  • Trigger Hook: admin_init (runs on every /wp-admin/ request for any authenticated user).
  • Vulnerable Function: Likely _mw_adminimize_update() or a similar settings-processing function (inferred).
  • Payload Parameter: _mw_adminimize_nonce (nonce) and various array parameters representing plugin settings (e.g., mw_adminimize_options).
  • Authentication: Authenticated, Subscriber-level access.
  • Precondition: The attacker must obtain a valid nonce, which is often leaked on the user's profile page if Adminimize is configured to modify that view.

3. Code Flow

  1. Entry Point: An authenticated user (Subscriber) accesses any page in the admin dashboard (e.g., wp-admin/profile.php or wp-admin/index.php).
  2. Hook Registration: The plugin registers a function to handle settings updates:
    • add_action( 'admin_init', '_mw_adminimize_update' ); (inferred).
  3. Missing Check: Inside _mw_adminimize_update(), the code checks for the existence and validity of a nonce:
    • if ( ! wp_verify_nonce( $_POST['_mw_adminimize_nonce'], '_mw_adminimize_nonce' ) ) return;
  4. Authorization Failure: The function fails to call current_user_can( 'manage_options' ).
  5. Data Sink: The function calls update_option( 'mw_adminimize', ... ) using values provided in the $_POST request.

4. Nonce Acquisition Strategy

Adminimize frequently enqueues its settings or nonces on the user profile page to allow per-user preferences.

  1. Identify Nonce Location: The nonce is likely generated via wp_create_nonce('_mw_adminimize_nonce') and placed in a hidden field or localized script.
  2. Navigation: Navigate to the Subscriber's profile page: wp-admin/profile.php.
  3. Extraction:
    • Use browser_eval to find the nonce in the DOM or localized JS:
    • browser_eval("document.querySelector('input[name=\"_mw_adminimize_nonce\"]')?.value") (inferred).
    • If localized: browser_eval("window.mw_adminimize?.nonce") (inferred).

5. Exploitation Strategy

The goal is to overwrite the plugin's configuration to disable its functionality or clear its restrictions.

  1. Step 1: Obtain Nonce

    • Login as a Subscriber.
    • Navigate to wp-admin/profile.php.
    • Extract the value of the _mw_adminimize_nonce field.
  2. Step 2: Construct Malicious Request

    • Prepare a POST request to wp-admin/index.php.
    • Include the obtained nonce.
    • Provide parameters that will overwrite the mw_adminimize option with empty or malicious values.
  3. Request Details:

    • Method: POST
    • URL: http://localhost:8080/wp-admin/index.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body:
      _mw_adminimize_nonce=[NONCE]&mw_adminimize_update=1&mw_adminimize_options[some_restriction]=0
      
      (Note: Exact parameter names should be confirmed by grepping _mw_adminimize_update in the source.)

6. Test Data Setup

  1. Install Adminimize: Ensure version 1.11.11 is active.
  2. Configure Adminimize: As an admin, set some restrictions for the Subscriber role (e.g., hide the "Dashboard" menu).
  3. Create User: Create a user with the Subscriber role.
  4. Verification of Baseline: Log in as the Subscriber and confirm the "Dashboard" menu is hidden.

7. Expected Results

  • The admin_init hook will trigger the vulnerable function.
  • The function will validate the nonce (which the Subscriber is allowed to hold).
  • The function will bypass capability checks.
  • The mw_adminimize option in the wp_options table will be updated/overwritten.
  • Previously hidden menu items for the Subscriber (or other roles) will become visible.

8. Verification Steps

  1. Check Database: Use WP-CLI to verify the option value was changed:
    • wp option get mw_adminimize
  2. Check UI: Log in as the Subscriber and observe that restricted menus are now accessible.
  3. Check Admin View: Verify that the plugin's global configuration has been altered by viewing the settings page as an administrator.

9. Alternative Approaches

  • Export/Import Bypass: If _mw_adminimize_update is protected, check for _mw_adminimize_import or _mw_adminimize_export functions. These are often similarly hooked to admin_init and may lack capability checks.
  • AJAX Handlers: Check for wp_ajax_mw_adminimize_save or similar. Grep for add_action( 'wp_ajax_ within the plugin directory to find all available AJAX entry points.
  • Search Patterns:
    # Find all admin_init hooks
    grep -r "admin_init" .
    
    # Check for capability checks in functions registered to admin_init
    grep -r "current_user_can" .
    
    # Look for update_option calls
    grep -r "update_option" .
    
Research Findings
Static analysis — not yet PoC-verified

Summary

The Adminimize plugin for WordPress is vulnerable to unauthorized settings modification because it lacks a capability check on the function responsible for updating plugin options. This allows authenticated users with low-level privileges, such as subscribers, to overwrite the plugin's configuration if they can obtain a valid security nonce.

Vulnerable Code

// adminimize/adminimize.php

add_action( 'admin_init', '_mw_adminimize_update' );

function _mw_adminimize_update() {
    // Nonce verification exists, but capability check is missing
    if ( ! isset( $_POST['_mw_adminimize_nonce'] ) || ! wp_verify_nonce( $_POST['_mw_adminimize_nonce'], '_mw_adminimize_nonce' ) ) {
        return;
    }

    if ( isset( $_POST['mw_adminimize_update'] ) ) {
        // Vulnerable: no current_user_can('manage_options') check here
        update_option( 'mw_adminimize', $_POST['mw_adminimize_options'] );
    }
}

Security Fix

--- a/adminimize/adminimize.php
+++ b/adminimize/adminimize.php
@@ -10,6 +10,10 @@
     if ( ! isset( $_POST['_mw_adminimize_nonce'] ) || ! wp_verify_nonce( $_POST['_mw_adminimize_nonce'], '_mw_adminimize_nonce' ) ) {
         return;
     }
 
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( __( 'You do not have sufficient permissions to access this page.' ) );
+    }
+
     if ( isset( $_POST['mw_adminimize_update'] ) ) {
         update_option( 'mw_adminimize', $_POST['mw_adminimize_options'] );

Exploit Outline

The exploit requires authentication as a Subscriber. The attacker first navigates to the user profile page in the WordPress admin dashboard to extract a valid '_mw_adminimize_nonce' from the page source. Using this nonce, the attacker sends a POST request to any administrative endpoint (such as /wp-admin/index.php) to trigger the 'admin_init' hook. The payload must include the extracted nonce and a 'mw_adminimize_options' array containing modified configuration settings, which the plugin will save to the database regardless of the user's lack of administrative permissions.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.