CVE-2026-11775
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function, allowing unauthenticated attackers to reset and permanently delete users' menu and admin-bar configurations.
Risk Assessment
Attackers can exploit this vulnerability to manipulate user settings, potentially leading to data loss and integrity breaches. Specifically, if an administrator is tricked into performing a certain action, it could result in serious security consequences.
Recommendation
It is recommended to update the User Admin Simplifier plugin to the latest version to mitigate this vulnerability. Additionally, implementing extra security measures, such as nonce verification in relevant functions, is advisable.
Original NVD description (English source)
The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user's stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

