User Admin Simplifier <= 3.0.0 - Cross-Site Request Forgery
Description
The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user's stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=3.0.0
Patches
Vulnerability mechanics
Root cause
"Missing nonce validation on the useradminsimplifier_options_page function allows Cross-Site Request Forgery."
Attack vector
An unauthenticated attacker crafts a malicious link or form that triggers a forged request to the `useradminsimplifier_options_page` function. Because the function is missing nonce validation [ref_id=1], the request can call `uas_save_admin_options()` without any proof of intent. The attacker must trick a logged-in site administrator into clicking the link or submitting the form (a classic CSRF attack). Once the forged request is processed, the plugin overwrites the `useradminsimplifier_options` database entry, resetting and permanently deleting the stored menu and admin-bar configuration for any user.
Affected code
The vulnerability resides in the `useradminsimplifier_options_page` function, which lacks nonce validation when processing the `uas_save_admin_options()` action. This allows an unauthenticated attacker to forge a request that overwrites the `useradminsimplifier_options` database entry, resetting and permanently deleting any user's stored menu and admin-bar configuration.
What the fix does
The advisory does not include a published patch, but the plugin's changelog for version 3.0.1 states: "Security hardening: sanitize option keys when saving user settings." This fix addresses the missing input sanitization that could be exploited via the CSRF vector. Without nonce validation, an attacker can trigger the save function; the sanitization of option keys in 3.0.1 reduces the impact by preventing arbitrary key injection, but the advisory notes the root cause is the missing nonce check on the `useradminsimplifier_options_page` function.
Preconditions
- authThe attacker must trick a logged-in site administrator into clicking a link or submitting a form that triggers the forged request.
- inputThe forged request must target the `useradminsimplifier_options_page` function, which lacks nonce validation.
- networkThe attacker can be unauthenticated and does not need any prior access to the WordPress site.
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- plugins.trac.wordpress.org/browser/user-admin-simplifier/tags/1.0.0/useradminsimplifier.phpmitre
- plugins.trac.wordpress.org/browser/user-admin-simplifier/tags/1.0.0/useradminsimplifier.phpmitre
- plugins.trac.wordpress.org/browser/user-admin-simplifier/tags/1.0.0/useradminsimplifier.phpmitre
- plugins.trac.wordpress.org/changesetmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/0920fc70-1c4b-45ff-86f6-14640286b5e6mitre
News mentions
0No linked articles in our index yet.