CVE-2026-8422
Cross-Site Request Forgery in Remove Meta Boxes Per User Role Plugin
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| remove_meta_boxes_per_user_role | remove_meta_boxes_per_user_role | to 1.01 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Remove meta boxes per user role plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 1.01. This occurs because the plugin does not properly validate nonces on its settings page, which is a security token meant to prevent unauthorized actions.
As a result, an attacker who is not authenticated can trick a site administrator into performing an action, such as clicking a malicious link, which then allows the attacker to modify or reset the plugin's meta box visibility settings for different user roles without the administrator's consent.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to change the visibility settings of meta boxes for different user roles on your WordPress site without your permission.
While it does not directly compromise confidentiality or availability, it can lead to unauthorized changes in the user interface or functionality, potentially causing confusion or misconfiguration.