CVE-2026-8422

Remove meta boxes per user role <= 1.01 - Cross-Site Request Forgery to Settings Update

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Remove meta boxes per user role plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.01. This is due to missing or incorrect nonce validation on the 'remove-meta-boxes-per-user-role' page. This makes it possible for unauthenticated attackers to modify or reset the plugin's per-role meta box visibility settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.01
PublishedJune 1, 2026
Last updatedJune 2, 2026
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-8422 (Remove meta boxes per user role) ## 1. Vulnerability Summary **CVE-2026-8422** is a Cross-Site Request Forgery (CSRF) vulnerability in the "Remove meta boxes per user role" WordPress plugin (versions <= 1.01). The vulnerability exists because the plugin'…

Show full research plan

Exploitation Research Plan: CVE-2026-8422 (Remove meta boxes per user role)

1. Vulnerability Summary

CVE-2026-8422 is a Cross-Site Request Forgery (CSRF) vulnerability in the "Remove meta boxes per user role" WordPress plugin (versions <= 1.01). The vulnerability exists because the plugin's settings update logic, likely located within the administration menu callback or an admin_init hook, fails to implement WordPress nonce verification. This allows an unauthenticated attacker to craft a malicious request that, if executed by a logged-in administrator, modifies or resets the plugin's configuration, potentially disrupting administrative workflows or altering content management interfaces across roles.

2. Attack Vector Analysis

  • Vulnerable Endpoint: /wp-admin/options-general.php?page=remove-meta-boxes-per-user-role (inferred slug) or a POST request to /wp-admin/admin-post.php.
  • HTTP Method: POST
  • Authentication Requirement: The request must be executed in the context of a user with manage_options capabilities (typically an Administrator).
  • Payload Carrying Parameter: Inferred parameters based on plugin functionality include arrays like rmb_settings[role][post_type] or similar structures used to store hidden meta box IDs.
  • Preconditions:
    1. The plugin must be active.
    2. An administrator must be tricked into clicking a link or visiting a site that triggers a cross-site POST request to the vulnerable WordPress instance.

3. Code Flow (Inferred)

  1. Registration: The plugin registers a settings page using add_options_page() or add_menu_page() in the admin_menu hook.
  2. Hooking: The plugin likely uses admin_init or checks $_POST inside the menu callback function to process settings.
  3. Vulnerable Sink: The handler checks for the presence of a specific submit parameter (e.g., isset($_POST['submit'])) and perhaps validates capabilities using current_user_can('manage_options').
  4. Missing Check: The code omits check_admin_referer() or wp_verify_nonce().
  5. Processing: The handler iterates through the $_POST data and saves it using update_option('remove_meta_boxes_settings', ...) (inferred option name).

4. Nonce Acquisition Strategy

No nonce is required.
The essence of this CSRF vulnerability is the total absence of nonce validation or incorrect implementation (e.g., using a fixed string or failing to check the return value). The exploitation agent should verify this by attempting a request with an intentionally invalid or missing nonce parameter.

5. Exploitation Strategy

The goal is to demonstrate that settings can be changed without a valid nonce.

Step 1: Discover Parameters

Navigate to the settings page and extract the form structure:

  1. Use browser_navigate to /wp-admin/options-general.php?page=remove-meta-boxes-per-user-role.
  2. Use browser_eval to extract input names: Array.from(document.querySelectorAll('input, select')).map(i => i.name).

Step 2: Craft the Payload

Based on the discovery, construct a POST request.
Example (Inferred):

{
  "action": "update",
  "option_page": "remove-meta-boxes-per-user-role",
  "rmb_role_administrator[post][authordiv]": "1",
  "submit": "Save Changes"
}

Step 3: Execute the Exploit

Use the http_request tool to send the forged request while authenticated as an admin.

  • URL: http://[target-ip]/wp-admin/options-general.php?page=remove-meta-boxes-per-user-role
  • Method: POST
  • Headers:
    • Content-Type: application/x-www-form-urlencoded
  • Body: rmb_role_administrator%5Bpost%5D%5Bauthordiv%5D=1&submit=Save+Changes (Note: No _wpnonce included).

6. Test Data Setup

  1. Install Plugin: wp plugin install remove-meta-boxes-per-user-role --version=1.01 --activate
  2. Initial Configuration:
    • Log in as admin.
    • Navigate to the plugin settings.
    • Ensure all boxes are currently visible (unchecked).
  3. Identify Target Meta Box: Choose a standard meta box like authordiv (Author) or categorydiv (Categories) on the post post type.

7. Expected Results

  • Success Indicator: The HTTP response should be a 302 Redirect back to the settings page with a success parameter (e.g., settings-updated=true) or a 200 OK showing the updated state.
  • UI Change: When visiting the "New Post" page as an administrator, the targeted meta box (e.g., Author) should now be hidden.

8. Verification Steps

After sending the http_request, verify the change via WP-CLI:

  1. Check Option: wp option get remove_meta_boxes_settings (Verify the exact option name using wp option list --search="remove_meta" first).
  2. Confirm Role Impact: Check if the serialized data in the database reflects the new hidden status for the chosen role.
  3. Manual Check: wp post create --post_type=post --post_title="Verify Hide" and check the edit screen via the browser.

9. Alternative Approaches

If the plugin uses admin-post.php instead of the settings page directly:

  1. Grep for Handler: grep -r "admin_post_" wp-content/plugins/remove-meta-boxes-per-user-role/
  2. New Target URL: Change the http_request URL to /wp-admin/admin-post.php.
  3. Payload Adjustment: Ensure the action parameter matches the registered admin_post_ hook suffix.
Research Findings
Static analysis — not yet PoC-verified

Summary

The 'Remove meta boxes per user role' plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to a lack of nonce validation in its settings save logic. This allows unauthenticated attackers to modify or reset the visibility of meta boxes for any user role if they can trick an administrator into clicking a malicious link or submitting a forged form.

Vulnerable Code

// remove-meta-boxes-per-user-role.php (or similar main file)
// Likely located within a function hooked to 'admin_init' or the menu callback

function rmb_save_settings() {
    if ( isset( $_POST['submit_rmb_settings'] ) ) {
        // MISSING: check_admin_referer( 'rmb_save_nonce', 'rmb_nonce_field' );
        
        if ( current_user_can( 'manage_options' ) ) {
            $settings = $_POST['rmb_settings'];
            update_option( 'remove_meta_boxes_settings', $settings );
        }
    }
}

Security Fix

--- a/remove-meta-boxes-per-user-role.php
+++ b/remove-meta-boxes-per-user-role.php
@@ -10,6 +10,10 @@
 
 function rmb_save_settings() {
     if ( isset( $_POST['submit_rmb_settings'] ) ) {
+        if ( ! isset( $_POST['rmb_nonce_field'] ) || ! wp_verify_nonce( $_POST['rmb_nonce_field'], 'rmb_save_action' ) ) {
+            wp_die( 'Security check failed' );
+        }
+
         if ( current_user_can( 'manage_options' ) ) {
             $settings = $_POST['rmb_settings'];
             update_option( 'remove_meta_boxes_settings', $settings );
@@ -25,5 +29,6 @@
     <form method="post" action="">
+        <?php wp_nonce_field( 'rmb_save_action', 'rmb_nonce_field' ); ?>
         <!-- settings fields here -->
         <input type="submit" name="submit_rmb_settings" value="Save Changes">
     </form>

Exploit Outline

The exploit targets the plugin's settings update mechanism, which does not verify the origin of requests. An attacker can craft a malicious HTML page containing a form that targets the WordPress administrator settings page (usually `/wp-admin/options-general.php?page=remove-meta-boxes-per-user-role`). The payload includes POST parameters like 'rmb_settings[role][post_type][box_id]' set to '1' to hide specific elements. The attacker then tricks a logged-in Administrator into visiting this malicious page (e.g., via phishing or a comment link). Since the plugin lacks a nonce check, the browser automatically includes the administrator's session cookies, and the settings are updated according to the attacker's payload.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.