EIP-2026-113537

PRE-CVE

WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery / Privilege Escalation

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113537. PoCs published by Panagiotis Vagenas.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in the Admin Menu Tree Page View WordPress plugin (version 2.6.9) that allows privilege escalation and persistent XSS. It leverages an unauthenticated AJAX action to create arbitrary posts or inject malicious scripts.

Description

WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery / Privilege Escalation

Exploits (1)

exploitdb WORKING POC

by Panagiotis Vagenas · textwebappsphp

https://www.exploit-db.com/exploits/43486

View Code ZIP pw:eip

This exploit demonstrates a CSRF vulnerability in the Admin Menu Tree Page View WordPress plugin (version 2.6.9) that allows privilege escalation and persistent XSS. It leverages an unauthenticated AJAX action to create arbitrary posts or inject malicious scripts.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Admin Menu Tree Page View WordPress plugin 2.6.9

No auth needed

Prerequisites: WordPress installation with vulnerable plugin · Registered user account (for post creation)

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026