CVE-2026-11775
Deferred Deferred - Pending Action

Cross-Site Request Forgery in User Admin Simplifier WordPress Plugin

Vulnerability report for CVE-2026-11775, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-22

Assigner: Wordfence

Description

The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user's stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-22
Generated
2026-07-09
AI Q&A
2026-06-20
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordfence user_admin_simplifier to 3.0.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to reset and permanently delete any user's stored menu and admin-bar configuration by tricking a site administrator into performing an action. While this impacts the integrity of user interface settings, there is no direct indication from the provided information that it leads to unauthorized access to personal data or sensitive information.

Therefore, based on the available data, this vulnerability does not explicitly affect compliance with common standards and regulations such as GDPR or HIPAA, which primarily focus on the protection of personal and sensitive data.

Executive Summary

The User Admin Simplifier plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 3.0.0. This vulnerability exists because the plugin does not properly validate nonces in the useradminsimplifier_options_page function.

As a result, an attacker who tricks a site administrator into clicking a malicious link can cause the plugin to reset and permanently delete any user's stored menu and admin-bar configuration by triggering the uas_save_admin_options() function and overwriting the useradminsimplifier_options database entry.

Impact Analysis

This vulnerability allows unauthenticated attackers to manipulate the stored menu and admin-bar configurations of any user by tricking an administrator into performing an action such as clicking a link.

The impact is limited to integrity loss of user interface settings, as the vulnerability does not affect confidentiality or availability.

According to the CVSS score of 4.3, this is a low to medium severity issue that requires user interaction but no privileges.

Mitigation Strategies

The vulnerability affects all versions of the User Admin Simplifier plugin up to and including 3.0.0 due to missing or incorrect nonce validation. To mitigate this vulnerability immediately, you should update the User Admin Simplifier plugin to a version later than 3.0.0 where the issue is fixed.

Additionally, as a precaution, avoid clicking on suspicious links or performing actions from untrusted sources that could trigger forged requests exploiting this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11775. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart