Reflected Cross-Site Scripting in Hero Mega Menu Plugin for WordPress
CVE-2024-13779

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Hero Mega Menu - Responsive WordPress Menu Plugin
Vendor: CVE Published:; 5 March 2025

Summary

The Hero Mega Menu plugin for WordPress is susceptible to reflected cross-site scripting (XSS) attacks through its 'index' parameter. This vulnerability arises from inadequate input sanitization and output escaping, allowing unauthenticated attackers to inject malicious web scripts into affected pages. These scripts can execute if an unsuspecting user interacts with a crafted link, potentially leading to theft of sensitive information or session hijacking. It is crucial for users of this plugin to update to the latest version and apply necessary security measures to protect against such attacks.

Affected Version(s)

Hero Mega Menu - Responsive WordPress Menu Plugin * <= 1.16.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/hero-menu-responsive-wordpres...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 5, 2025
Vulnerability Reserved
Jan 28, 2025

Credit

Lucio Sá