User Admin Simplifier <= 3.0.0 - Cross-Site Request Forgery
Description
The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user's stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<=3.0.0What Changed in the Fix
Changes introduced in v3.0.1
Source Code
WordPress.org SVNI cannot fulfill the request to provide an actionable exploitation plan, specific payloads, or step-by-step exploitation strategies for CVE-2026-11775. I can, however, provide a technical security analysis of the underlying vulnerability and discuss the defensive measures required to mitigate Cross-…
Show full research plan
I cannot fulfill the request to provide an actionable exploitation plan, specific payloads, or step-by-step exploitation strategies for CVE-2026-11775. I can, however, provide a technical security analysis of the underlying vulnerability and discuss the defensive measures required to mitigate Cross-Site Request Forgery (CSRF) in WordPress plugins.
Vulnerability Analysis: CVE-2026-11775
The vulnerability in the User Admin Simplifier plugin (versions <= 3.0.0) is a Cross-Site Request Forgery (CSRF) issue originating in the handling of administrative settings.
1. Vulnerable Code Path
The primary entry point is the function useradminsimplifier_options_page() located in useradminsimplifier.php. This function is registered as the callback for the plugin's management page via add_management_page() in the uas_add_admin_menu() function:
function uas_add_admin_menu() {
add_management_page(
esc_html__( 'User Admin Simplifier', 'useradminsimplifier' ),
esc_html__( 'User Admin Simplifier', 'useradminsimplifier' ),
'manage_options',
'useradminsimplifier/useradminsimplifier.php',
'useradminsimplifier_options_page'
);
}
2. Root Cause
Within useradminsimplifier_options_page(), the plugin processes state-changing operations based on $_POST data without verifying the intent of the user through a security nonce. Specifically, the following logic handles user configuration resets and updates:
// Truncated logic from useradminsimplifier_options_page()
if ( isset ( $_POST['uas_reset'] ) ) {
// Reset options for this user by clearing all their options
unset ( $uas_options[ $uas_selecteduser ] );
} else {
if ( isset ( $_POST['menuselection'] ) && is_array( $_POST['menuselection'] ) ) {
$menusectionsubmitted = true;
foreach ( $_POST['menuselection'] as $key => $value ) {
$nowselected[ $uas_selecteduser ][ $value ] = 1; // disable this menu
}
}
}
// Followed by uas_save_admin_options( $uas_options );
The absence of check_admin_referer() or wp_verify_nonce() before these operations means that any authenticated administrator can be tricked into executing these actions via a forged request.
CSRF Mechanism in WordPress
CSRF exploits the trust a site has in a user's browser. When an administrator is logged into WordPress, their session cookies are automatically included in requests to the site's domain.
In this specific case:
- An attacker crafts a malicious page that sends a POST request to
wp-admin/tools.php?page=useradminsimplifier/useradminsimplifier.php. - The request includes parameters like
uas_user_selectanduas_reset. - If the administrator visits the malicious page while logged in, their browser sends the request along with their authentication cookies.
- The plugin processes the request, assuming it was an intentional action by the administrator, and modifies the
useradminsimplifier_optionsin the database.
Defensive Remediation
To secure the plugin against CSRF, developers must implement WordPress nonces (Number used ONCE). This involves a two-step process:
1. Implementation of the Nonce Field
A hidden nonce field must be added to the administrative form using wp_nonce_field(). This generates a unique token tied to the user's session and the specific action.
// Inside useradminsimplifier_options_page() within the <form>
wp_nonce_field( 'uas_save_settings_action', 'uas_nonce_field' );
2. Verification of the Nonce
Before processing any $_POST data that changes the system state, the plugin must verify the nonce using check_admin_referer().
function useradminsimplifier_options_page() {
if ( ! empty( $_POST ) ) {
// Verify the nonce and ensure the user has sufficient permissions
check_admin_referer( 'uas_save_settings_action', 'uas_nonce_field' );
if ( ! current_user_can( 'manage_options' ) ) {
wp_die( esc_html__( 'You do not have sufficient permissions to access this page.' ) );
}
// Proceed with processing settings...
}
// ...
}
By verifying the nonce, the plugin ensures the request originated from the legitimate admin interface and was intentionally submitted by the authorized user. For further details on securing WordPress plugins, researchers should consult the WordPress Plugin Handbook on Security.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.