MEDIUM 4.3

CVE-2026-8422: Cross-Site Request Forgery in Remove Meta Boxes Per User Role WordPress Plugin

The Remove meta boxes per user role WordPress plugin contains a security flaw that allows attackers to change how meta boxes (content panels) are hidden or shown for different user roles on a WordPress site. An attacker can't do this directly, but by tricking a site administrator into clicking a malicious link, the attacker can force the admin's browser to make unauthorized changes to these visibility settings. The vulnerability affects all versions up to and including 1.01.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-352
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

The Remove meta boxes per user role plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.01. This is due to missing or incorrect nonce validation on the 'remove-meta-boxes-per-user-role' page. This makes it possible for unauthenticated attackers to modify or reset the plugin's per-role meta box visibility settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8422 is a Cross-Site Request Forgery (CSRF) vulnerability in the Remove meta boxes per user role plugin for WordPress. The plugin fails to implement or properly validate nonce tokens on the 'remove-meta-boxes-per-user-role' administrative page. This allows an unauthenticated attacker to craft a forged HTTP request that, when executed in an authenticated admin's browser session, modifies the plugin's per-role meta box visibility configuration. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) and carries a CVSS 3.1 score of 4.3 (Medium severity) with a vector reflecting network-based attack, low complexity, no privilege requirement, required user interaction, and integrity impact limited to the plugin's settings scope.

Business impact

A successful CSRF attack could disrupt site administrator workflows by hiding or resetting critical content panels that administrators rely on for editing and management. While the impact is bounded to the plugin's configuration layer, repeated or coordinated attacks could degrade trust in site administration and create operational confusion. The vulnerability does not expose sensitive data or enable privilege escalation, but it does undermine the integrity of administrative preferences.

Affected systems

WordPress installations running the Remove meta boxes per user role plugin in any version up to and including 1.01. The plugin must be installed and activated for the vulnerability to be present. No vulnerability data indicates specific WordPress versions, themes, or other plugins are inherently more vulnerable; however, sites with high-value or frequently-targeted administrative accounts face elevated risk.

Exploitability

Exploitation requires social engineering: an attacker must craft a malicious link or embed a hidden request in a webpage and trick a site administrator into visiting it while logged into WordPress. The attack surface is limited by the need for user interaction and valid admin session, but the barrier to entry is low—a basic understanding of HTML forms suffices. This vulnerability is not in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no widespread active exploitation has been reported as of the modification date.

Remediation

Update the Remove meta boxes per user role plugin to a patched version released after version 1.01. Site administrators should check the plugin's repository or vendor advisories for the latest available release. As an interim measure, restrict administrative access to trusted networks or require additional authentication factors to reduce the likelihood of successful social engineering.

Patch guidance

Verify the latest version of the Remove meta boxes per user role plugin available in the WordPress Plugin Directory or from the plugin vendor's official source. Update immediately upon confirmation that a patched version addressing CSRF validation is available. Test the update in a staging environment before deploying to production to ensure compatibility with your site's configuration and other active plugins.

Detection guidance

Monitor web server logs for suspicious POST requests to the 'remove-meta-boxes-per-user-role' page originating from unusual referrers or user agents. Review WordPress admin activity logs to identify unexpected changes to meta box visibility settings, particularly if they coincide with reports of administrator confusion or unintended configuration drift. WordPress security plugins offering request logging can help surface CSRF attempts by flagging requests without valid nonce tokens.

Why prioritize this

Although this vulnerability carries a Medium CVSS score and requires user interaction to exploit, it should be prioritized for timely patching because it undermines the integrity of site administration interfaces and can be weaponized in targeted social engineering campaigns against site administrators. The ease of exploitation, combined with the broad attack surface of administrator-targeted phishing, justifies prompt remediation even in low-threat environments.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects a network-accessible vulnerability requiring no authentication but mandating user interaction (UI:R). The integrity impact is limited (I:L) to the plugin's per-role settings, with no confidentiality or availability impact. The score appropriately balances the ease of delivery against the contained scope of the damage, landing it in the Medium severity band.

Frequently asked questions

Does this vulnerability allow an attacker to gain admin credentials or access to my site's content?

No. The vulnerability is limited to modifying the visibility of meta boxes for different user roles. It does not expose passwords, expose published content, or grant unauthorized access levels. An attacker cannot read or delete data through this flaw.

Do I need to be an administrator for the attack to work?

Yes and no: the attacker does not need admin credentials, but a legitimate admin must be tricked into clicking a malicious link or visiting a compromised site while logged into WordPress. The attack leverages the admin's valid session.

How can I tell if my site was attacked using this vulnerability?

Look for unexpected changes to meta box visibility settings or administrator reports of missing content panels. WordPress security plugins and admin audit logs will show which users made configuration changes and when. Compare these against your change management records.

What should I do while waiting for a patch?

Update to the latest available version as soon as it becomes available. In the interim, educate administrators about social engineering tactics, disable admin access from untrusted networks if possible, and consider enabling two-factor authentication to add a second layer of protection.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the modification date. Patch availability and specific version numbers should be verified directly with the plugin vendor or WordPress Plugin Directory. Organizations should validate all remediation steps in a non-production environment before deployment. SEC.co makes no warranty regarding the accuracy, completeness, or suitability of this information for any specific use case. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).