What the vulnerability does
01Description
The Remove meta boxes per user role plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.01. This is due to missing or incorrect nonce validation on the 'remove-meta-boxes-per-user-role' page. This makes it possible for unauthenticated attackers to modify or reset the plugin's per-role meta box visibility settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
The Remove meta boxes per user role plugin for WordPress contains a cross-site request forgery (CSRF) vulnerability in versions up to 1.01. An attacker can craft a malicious link or page that, when visited by a logged-in administrator, performs unauthorized actions on the site without the administrator's knowledge. The vulnerability requires user interaction and does not expose sensitive data, but can modify site settings.
What an attacker can do
03Attacker Capabilities
Trick a logged-in admin into visiting a malicious page that changes the plugin's settings without their consent.
Potential impact on your site
04Site Impact
An attacker can alter which meta boxes are hidden per user role, potentially disrupting site administration workflows.
Conditions required to exploit
05Prerequisites
Admin must be logged in and click a malicious link or visit an attacker-controlled page.
Key dates
06Disclosure timeline
June 2, 2026
CVE published
June 2, 2026
Record updated