Easy Mega Menu Plugin Vulnerable to Stored Cross-Site Scripting
CVE-2024-8433

6.4MEDIUM

Key Information:

Vendor
Wordpress
Status
Easy Mega Menu Plugin For WordPress – Themehunk
Vendor
CVE Published:
8 October 2024

Summary

The Easy Mega Menu Plugin for WordPress by ThemeHunk is prone to a Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping. This flaw permits authenticated attackers with subscriber-level access or higher to inject arbitrary web scripts into pages. When users subsequently access compromised pages, malicious scripts can execute, leading to potential data breaches or unauthorized actions. Although version 1.1.0 implemented partial fixes, the absence of comprehensive authorization protections means the risk persists. Website administrators should urgently apply security updates and review user permissions to mitigate exposure.

Affected Version(s)

Easy Mega Menu Plugin for WordPress – ThemeHunk * <= 1.1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/themehunk-mega...
https://plugins.trac.wordpress.org/browser/themehunk-mega...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lucio Sá
.