Plataforma
wordpress
Componente
admin-menu-editor
Corrigido em
1.14.2
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Admin Menu Editor WordPress plugin. This flaw allows attackers to potentially perform unauthorized actions on a user's account if they can trick the user into clicking a malicious link. The vulnerability affects versions from 0.0.0 through 1.14.1 and has been resolved in version 1.15.
The CSRF vulnerability in Admin Menu Editor allows an attacker to execute actions on behalf of an authenticated user without their knowledge or consent. This could include modifying menu structures, changing plugin settings, or even deleting the plugin itself, depending on the user's permissions. A successful attack requires the victim to be logged into the WordPress site and visit a malicious webpage crafted by the attacker. The blast radius is limited to the scope of the user's permissions within the WordPress installation.
This vulnerability was publicly disclosed on 2026-03-13. No public proof-of-concept (POC) code has been identified at the time of writing. The EPSS score is likely low, given the lack of public exploits and the reliance on social engineering for exploitation. It is not currently listed on the CISA KEV catalog.
Websites using the Admin Menu Editor plugin, particularly those with users who have administrative privileges, are at risk. Shared hosting environments where users have limited control over plugin updates are also particularly vulnerable.
• wordpress / composer / npm:
wp plugin list | grep 'Admin Menu Editor'• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status admin-menu-editor• wordpress / composer / npm:
wp option get admin_menu_editor_versiondisclosure
Status do Exploit
EPSS
0.02% (percentil 3%)
Vetor CVSS
The primary mitigation for CVE-2026-32456 is to upgrade the Admin Menu Editor plugin to version 1.15 or later. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which the browser can load resources. Additionally, using a WordPress security plugin with CSRF protection can provide an extra layer of defense. After upgrading, confirm the vulnerability is resolved by attempting to trigger a menu modification action while logged in as an administrator and observing whether the action executes without user interaction.
Atualize para a versão 1.15, ou uma versão corrigida mais recente
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-32456 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Admin Menu Editor WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Admin Menu Editor versions 0.0.0 through 1.14.1. Upgrade to 1.15 or later to resolve the vulnerability.
Upgrade the Admin Menu Editor plugin to version 1.15 or later. Consider implementing a Content Security Policy (CSP) as an additional precaution.
There are currently no reports of active exploitation, but the vulnerability remains present in older versions of the plugin.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.