CVE-2026-11775
Received Received - Intake
Cross-Site Request Forgery in User Admin Simplifier WordPress Plugin

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: Wordfence

Description
The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user's stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-11775
EUVD
EUVD-2026-37974
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence user_admin_simplifier to 3.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The User Admin Simplifier plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 3.0.0. This vulnerability exists because the plugin does not properly validate nonces in the useradminsimplifier_options_page function.

As a result, an attacker who tricks a site administrator into clicking a malicious link can cause the plugin to reset and permanently delete any user's stored menu and admin-bar configuration by triggering the uas_save_admin_options() function and overwriting the useradminsimplifier_options database entry.

Impact Analysis

This vulnerability allows unauthenticated attackers to manipulate the stored menu and admin-bar configurations of any user by tricking an administrator into performing an action such as clicking a link.

The impact is limited to integrity loss of user interface settings, as the vulnerability does not affect confidentiality or availability.

According to the CVSS score of 4.3, this is a low to medium severity issue that requires user interaction but no privileges.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11775. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart