Cross-Site Request Forgery Vulnerability in Superfly Responsive Menu Plugin for WordPress
CVE-2024-3238

8.8HIGH

Key Information:

Vendor: WordPress
Status: WordPress Menu Plugin — Superfly Responsive Menu
Vendor: CVE Published:; 2 August 2024

What is CVE-2024-3238?

The Superfly Responsive Menu plugin for WordPress has a vulnerability that allows for Cross-Site Request Forgery (CSRF). This flaw arises from inadequate nonce validation in the ajax_handle_delete_icons() function, enabling unauthenticated attackers to delete arbitrary files if they can trick a site administrator into executing a crafted action. Although a patch addressing the CSRF issue was released in version 5.0.28, robust directory traversal protections were not implemented until version 5.0.30, leaving exposed versions susceptible to exploitation.

Affected Version(s)

WordPress Menu Plugin — Superfly Responsive Menu 0 <= 5.0.29

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/superfly-responsive-wordpress...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 2, 2024

CVE-2024-3238 Data

JSON