CVE-2026-11775 adamsilverstein CVE debrief

Who should care

Administrators of WordPress sites using the User Admin Simplifier plugin, especially those with versions up to 3.0.0, should be aware of this vulnerability. Site owners and security teams need to assess the risk and apply necessary patches or mitigations to prevent exploitation.

Technical summary

The vulnerability in the User Admin Simplifier plugin for WordPress is caused by inadequate nonce validation in the useradminsimplifier_options_page function. This allows unauthenticated attackers to execute Cross-Site Request Forgery attacks, potentially leading to unauthorized modifications of user configurations. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N indicates a medium severity vulnerability that requires user interaction but can lead to low integrity impacts.

Defensive priority

High

Recommended defensive actions

• Update the User Admin Simplifier plugin to a version beyond 3.0.0 if available.
• Implement additional monitoring for suspicious requests to the useradminsimplifier_options_page function.
• Educate site administrators on the risks of clicking on unverified links.
• Consider implementing a Web Application Firewall (WAF) to detect and block CSRF attacks.
• Regularly review and update plugins and themes to ensure they are up-to-date and patched.
• Use security headers like SameSite cookies to enhance protection against CSRF attacks.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and Wordfence security research. The vulnerability details and CVSS score were obtained from these trusted sources.

Official resources