Primary

Context

WordPress Mega Menu QuadMenu Cross-Site Request Forgery Vulnerability

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WordPress Mega Menu - QuadMenu plugin, affecting all versions through 3.2.0. The issue arises from inadequate nonce validation in the 'ajax_dismiss_notice()' function, allowing unauthenticated attackers to manipulate user meta data. This includes the 'wp_capabilities' meta, which could be exploited to downgrade an administrator's privileges. The vulnerability requires tricking an administrator into clicking a link that initiates the forged request.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in user meta data, including critical capability settings, potentially allowing for privilege escalation or de-escalation.

Remediation

Users are advised to update the WordPress Mega Menu - QuadMenu plugin to version 3.2.1 or later.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.0

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.0

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress Mega Menu QuadMenu Cross-Site Request Forgery Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating