Arbitrary File Deletion in Hero Mega Menu Plugin for WordPress
CVE-2024-13780

6.5MEDIUM

Key Information:

Vendor: Heroplugins
Status: Hero Mega Menu - Responsive WordPress Menu Plugin
Vendor: CVE Published:; 5 March 2025

Summary

The Hero Mega Menu - Responsive WordPress Menu Plugin is prone to a serious security flaw due to inadequate file path validation within the hmenu_delete_menu() function. This vulnerability can allow unauthenticated attackers to delete arbitrary directories on the server, potentially leading to loss of data and disruption of service. All versions of the plugin prior to 1.16.5 are affected, highlighting the need for users to update and secure their installations promptly.

Affected Version(s)

Hero Mega Menu - Responsive WordPress Menu Plugin * <= 1.16.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/hero-menu-responsive-wordpres...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 5, 2025
Vulnerability Reserved
Jan 28, 2025

Credit

Lucio Sá