cleantalk
Vulnerabilities and Security Researches

Remove meta boxes per user role, CVE-2026-8422

CVE, Research URL

CVE-2026-8422

Home page URL

Security reports for Remove meta boxes per user role

Application

Remove meta boxes per user role

Published on
Jun 02, 2026
Research Description
The Remove meta boxes per user role plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.01. This is due to missing or incorrect nonce validation on the 'remove-meta-boxes-per-user-role' page. This makes it possible for unauthenticated attackers to modify or reset the plugin's per-role meta box visibility settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 1.01.
Status
vulnerable
Previous vulnerability researches
Remove meta boxes per user role (CVE-2026-8422) , Jun 04, 2026
New vulnerability
Paymob for WooCommerce (CVE-2026-56025) , Jun 24, 2026
Motors – Car Dealer, Classifieds & Listing (CVE-2026-7859) , Jun 24, 2026
Vitepos – Point of sale (POS) plugin for WooCommerce (CVE-2026-8157) , Jun 24, 2026
Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Conten (CVE-2026-10530) , Jun 24, 2026
Stylish Cost Calculator – Quote Generator, Lead Gen & Price Estimator (CVE-2026-54847) , Jun 23, 2026