CVE-2026-32456
Received Received - Intake

Cross-Site Request Forgery in Admin Menu Editor

Vulnerability report for CVE-2026-32456, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-13

Last updated on: 2026-03-13

Assigner: Patchstack

Description

Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin Menu Editor admin-menu-editor allows Cross Site Request Forgery.This issue affects Admin Menu Editor: from n/a through <= 1.14.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-13
Last Modified
2026-03-13
Generated
2026-07-06
AI Q&A
2026-03-13
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
janis_elsts admin_menu_editor From 1.0 (inc) to 1.14.1 (inc)
janis_elsts admin_menu_editor to 1.14.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate the CVE-2026-32456 vulnerability, users should update the WordPress Admin Menu Editor Plugin to version 1.15 or later, where the issue has been patched.

Additionally, using automatic update tools such as those offered by Patchstack can provide rapid protection by ensuring vulnerable plugins are updated promptly.

Since the vulnerability requires privileged user interaction, minimizing the number of users with elevated privileges and educating users about the risks of clicking untrusted links can also help reduce the risk.

Executive Summary

CVE-2026-32456 is a Cross Site Request Forgery (CSRF) vulnerability affecting the WordPress Admin Menu Editor Plugin versions up to and including 1.14.1.

This vulnerability allows a malicious actor to trick privileged users into executing unwanted actions while authenticated, such as by clicking a malicious link, visiting a crafted page, or submitting a form.

The exploit requires user interaction and targets users with elevated privileges, but it does not require the attacker to be authenticated.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized actions being performed on your WordPress site by tricking privileged users into executing them unknowingly.'}, {'type': 'paragraph', 'content': "Since it targets users with elevated privileges, it could result in changes to the admin menu or other administrative functions without the user's consent."}, {'type': 'paragraph', 'content': 'However, the impact is considered low severity with a CVSS score of 4.3, and exploitation requires user interaction.'}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32456. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart