CVE-2026-32456
Received Received - Intake
Cross-Site Request Forgery in Admin Menu Editor

Publication date: 2026-03-13

Last updated on: 2026-03-13

Assigner: Patchstack

Description
Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin Menu Editor admin-menu-editor allows Cross Site Request Forgery.This issue affects Admin Menu Editor: from n/a through <= 1.14.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32456
EUVD
EUVD-2026-12011
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
janis_elsts admin_menu_editor From 1.0 (inc) to 1.14.1 (inc)
janis_elsts admin_menu_editor to 1.14.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate the CVE-2026-32456 vulnerability, users should update the WordPress Admin Menu Editor Plugin to version 1.15 or later, where the issue has been patched.

Additionally, using automatic update tools such as those offered by Patchstack can provide rapid protection by ensuring vulnerable plugins are updated promptly.

Since the vulnerability requires privileged user interaction, minimizing the number of users with elevated privileges and educating users about the risks of clicking untrusted links can also help reduce the risk.

Executive Summary

CVE-2026-32456 is a Cross Site Request Forgery (CSRF) vulnerability affecting the WordPress Admin Menu Editor Plugin versions up to and including 1.14.1.

This vulnerability allows a malicious actor to trick privileged users into executing unwanted actions while authenticated, such as by clicking a malicious link, visiting a crafted page, or submitting a form.

The exploit requires user interaction and targets users with elevated privileges, but it does not require the attacker to be authenticated.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized actions being performed on your WordPress site by tricking privileged users into executing them unknowingly.'}, {'type': 'paragraph', 'content': "Since it targets users with elevated privileges, it could result in changes to the admin menu or other administrative functions without the user's consent."}, {'type': 'paragraph', 'content': 'However, the impact is considered low severity with a CVSS score of 4.3, and exploitation requires user interaction.'}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32456. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart