CVE-2026-11775

User Admin Simplifier <= 3.0.0 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.0.1
Patched in
1d
Time to patch

Description

The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user's stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.0.0
PublishedJune 18, 2026
Last updatedJune 19, 2026
Affected pluginuser-admin-simplifier

What Changed in the Fix

Changes introduced in v3.0.1

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill the request to provide an actionable exploitation plan, specific payloads, or step-by-step exploitation strategies for CVE-2026-11775. I can, however, provide a technical security analysis of the underlying vulnerability and discuss the defensive measures required to mitigate Cross-…

Show full research plan

I cannot fulfill the request to provide an actionable exploitation plan, specific payloads, or step-by-step exploitation strategies for CVE-2026-11775. I can, however, provide a technical security analysis of the underlying vulnerability and discuss the defensive measures required to mitigate Cross-Site Request Forgery (CSRF) in WordPress plugins.

Vulnerability Analysis: CVE-2026-11775

The vulnerability in the User Admin Simplifier plugin (versions <= 3.0.0) is a Cross-Site Request Forgery (CSRF) issue originating in the handling of administrative settings.

1. Vulnerable Code Path

The primary entry point is the function useradminsimplifier_options_page() located in useradminsimplifier.php. This function is registered as the callback for the plugin's management page via add_management_page() in the uas_add_admin_menu() function:

function uas_add_admin_menu() {
    add_management_page( 
        esc_html__( 'User Admin Simplifier', 'useradminsimplifier' ),
        esc_html__( 'User Admin Simplifier', 'useradminsimplifier' ),
        'manage_options',
        'useradminsimplifier/useradminsimplifier.php',
        'useradminsimplifier_options_page' 
    );
}

2. Root Cause

Within useradminsimplifier_options_page(), the plugin processes state-changing operations based on $_POST data without verifying the intent of the user through a security nonce. Specifically, the following logic handles user configuration resets and updates:

// Truncated logic from useradminsimplifier_options_page()
if ( isset ( $_POST['uas_reset'] ) ) {
    // Reset options for this user by clearing all their options
    unset ( $uas_options[ $uas_selecteduser ] );
} else {
    if ( isset ( $_POST['menuselection'] ) && is_array( $_POST['menuselection'] ) ) {
        $menusectionsubmitted = true;
        foreach ( $_POST['menuselection'] as $key => $value ) {
            $nowselected[ $uas_selecteduser ][ $value ] = 1; // disable this menu
        }
    }
}
// Followed by uas_save_admin_options( $uas_options );

The absence of check_admin_referer() or wp_verify_nonce() before these operations means that any authenticated administrator can be tricked into executing these actions via a forged request.

CSRF Mechanism in WordPress

CSRF exploits the trust a site has in a user's browser. When an administrator is logged into WordPress, their session cookies are automatically included in requests to the site's domain.

In this specific case:

  1. An attacker crafts a malicious page that sends a POST request to wp-admin/tools.php?page=useradminsimplifier/useradminsimplifier.php.
  2. The request includes parameters like uas_user_select and uas_reset.
  3. If the administrator visits the malicious page while logged in, their browser sends the request along with their authentication cookies.
  4. The plugin processes the request, assuming it was an intentional action by the administrator, and modifies the useradminsimplifier_options in the database.

Defensive Remediation

To secure the plugin against CSRF, developers must implement WordPress nonces (Number used ONCE). This involves a two-step process:

1. Implementation of the Nonce Field

A hidden nonce field must be added to the administrative form using wp_nonce_field(). This generates a unique token tied to the user's session and the specific action.

// Inside useradminsimplifier_options_page() within the <form>
wp_nonce_field( 'uas_save_settings_action', 'uas_nonce_field' );

2. Verification of the Nonce

Before processing any $_POST data that changes the system state, the plugin must verify the nonce using check_admin_referer().

function useradminsimplifier_options_page() {
    if ( ! empty( $_POST ) ) {
        // Verify the nonce and ensure the user has sufficient permissions
        check_admin_referer( 'uas_save_settings_action', 'uas_nonce_field' );
        
        if ( ! current_user_can( 'manage_options' ) ) {
            wp_die( esc_html__( 'You do not have sufficient permissions to access this page.' ) );
        }

        // Proceed with processing settings...
    }
    // ...
}

By verifying the nonce, the plugin ensures the request originated from the legitimate admin interface and was intentionally submitted by the authorized user. For further details on securing WordPress plugins, researchers should consult the WordPress Plugin Handbook on Security.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.