[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fX4Iv6K_qgojHOjvlDMXvQ0qKqdkeNIecCYRdFue9HXE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":31},"CVE-2026-11775","user-admin-simplifier-cross-site-request-forgery","User Admin Simplifier \u003C= 3.0.0 - Cross-Site Request Forgery","The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user's stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","user-admin-simplifier",null,"\u003C=3.0.0","3.0.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-06-18 13:52:53","2026-06-19 02:29:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0920fc70-1c4b-45ff-86f6-14640286b5e6?source=api-prod",1,[22,23],"readme.txt","useradminsimplifier.php","researched",false,3,"I cannot fulfill the request to provide an actionable exploitation plan, specific payloads, or step-by-step exploitation strategies for CVE-2026-11775. I can, however, provide a technical security analysis of the underlying vulnerability and discuss the defensive measures required to mitigate Cross-Site Request Forgery (CSRF) in WordPress plugins.\n\n### Vulnerability Analysis: CVE-2026-11775\n\nThe vulnerability in the **User Admin Simplifier** plugin (versions \u003C= 3.0.0) is a Cross-Site Request Forgery (CSRF) issue originating in the handling of administrative settings.\n\n#### 1. Vulnerable Code Path\nThe primary entry point is the function `useradminsimplifier_options_page()` located in `useradminsimplifier.php`. This function is registered as the callback for the plugin's management page via `add_management_page()` in the `uas_add_admin_menu()` function:\n\n```php\nfunction uas_add_admin_menu() {\n    add_management_page( \n        esc_html__( 'User Admin Simplifier', 'useradminsimplifier' ),\n        esc_html__( 'User Admin Simplifier', 'useradminsimplifier' ),\n        'manage_options',\n        'useradminsimplifier\u002Fuseradminsimplifier.php',\n        'useradminsimplifier_options_page' \n    );\n}\n```\n\n#### 2. Root Cause\nWithin `useradminsimplifier_options_page()`, the plugin processes state-changing operations based on `$_POST` data without verifying the intent of the user through a security nonce. Specifically, the following logic handles user configuration resets and updates:\n\n```php\n\u002F\u002F Truncated logic from useradminsimplifier_options_page()\nif ( isset ( $_POST['uas_reset'] ) ) {\n    \u002F\u002F Reset options for this user by clearing all their options\n    unset ( $uas_options[ $uas_selecteduser ] );\n} else {\n    if ( isset ( $_POST['menuselection'] ) && is_array( $_POST['menuselection'] ) ) {\n        $menusectionsubmitted = true;\n        foreach ( $_POST['menuselection'] as $key => $value ) {\n            $nowselected[ $uas_selecteduser ][ $value ] = 1; \u002F\u002F disable this menu\n        }\n    }\n}\n\u002F\u002F Followed by uas_save_admin_options( $uas_options );\n```\n\nThe absence of `check_admin_referer()` or `wp_verify_nonce()` before these operations means that any authenticated administrator can be tricked into executing these actions via a forged request.\n\n### CSRF Mechanism in WordPress\n\nCSRF exploits the trust a site has in a user's browser. When an administrator is logged into WordPress, their session cookies are automatically included in requests to the site's domain.\n\nIn this specific case:\n1. An attacker crafts a malicious page that sends a POST request to `wp-admin\u002Ftools.php?page=useradminsimplifier\u002Fuseradminsimplifier.php`.\n2. The request includes parameters like `uas_user_select` and `uas_reset`.\n3. If the administrator visits the malicious page while logged in, their browser sends the request along with their authentication cookies.\n4. The plugin processes the request, assuming it was an intentional action by the administrator, and modifies the `useradminsimplifier_options` in the database.\n\n### Defensive Remediation\n\nTo secure the plugin against CSRF, developers must implement WordPress nonces (Number used ONCE). This involves a two-step process:\n\n#### 1. Implementation of the Nonce Field\nA hidden nonce field must be added to the administrative form using `wp_nonce_field()`. This generates a unique token tied to the user's session and the specific action.\n\n```php\n\u002F\u002F Inside useradminsimplifier_options_page() within the \u003Cform>\nwp_nonce_field( 'uas_save_settings_action', 'uas_nonce_field' );\n```\n\n#### 2. Verification of the Nonce\nBefore processing any `$_POST` data that changes the system state, the plugin must verify the nonce using `check_admin_referer()`.\n\n```php\nfunction useradminsimplifier_options_page() {\n    if ( ! empty( $_POST ) ) {\n        \u002F\u002F Verify the nonce and ensure the user has sufficient permissions\n        check_admin_referer( 'uas_save_settings_action', 'uas_nonce_field' );\n        \n        if ( ! current_user_can( 'manage_options' ) ) {\n            wp_die( esc_html__( 'You do not have sufficient permissions to access this page.' ) );\n        }\n\n        \u002F\u002F Proceed with processing settings...\n    }\n    \u002F\u002F ...\n}\n```\n\nBy verifying the nonce, the plugin ensures the request originated from the legitimate admin interface and was intentionally submitted by the authorized user. For further details on securing WordPress plugins, researchers should consult the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","gemini-3-flash-preview","2026-06-25 20:51:56","2026-06-25 20:53:56",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","1.0.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-admin-simplifier\u002Ftags\u002F1.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-admin-simplifier.1.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-admin-simplifier\u002Ftags\u002F3.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-admin-simplifier.3.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-admin-simplifier\u002Ftags"]