CVE-2026-11775

Name of the Vulnerable Software and Affected Versions User Admin Simplifier versions prior to 3.0.1

Description The User Admin Simplifier plugin for WordPress is subject to Cross-Site Request Forgery (CSRF), a type of attack where an unauthorized user tricks a victim into performing actions they did not intend to do. This occurs due to missing or incorrect nonce validation in the useradminsimplifier options page function. Unauthenticated attackers can reset and permanently delete any user's stored menu and admin-bar configuration by tricking a site administrator into clicking a link. This action triggers the uas save admin options() function and overwrites the useradminsimplifier options database entry.

Recommendations Update the plugin to a version later than 3.0.0. As a temporary workaround, restrict administrative access to the useradminsimplifier options page function until the update is applied.