Cross-Site Request Forgery in WordPress Mega Menu – QuadMenu Plugin
CVE-2025-2871
4.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 12 April 2025
What is CVE-2025-2871?
The Mega Menu – QuadMenu plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) across all versions up to and including 3.2.0. This vulnerability arises from inadequate nonce validation in the ajax_dismiss_notice() function. An unauthenticated attacker can exploit this flaw to alter any user's meta information to a value of one, including critical permissions like wp_capabilities. As a result, this may lead to unauthorized privilege elevation or privilege deescalation of site administrators if a user is deceived into executing a malicious request, such as clicking a compromised link.
Affected Version(s)
WordPress Mega Menu – QuadMenu * <= 3.2.0
References
CVSS V3.1
Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Peter Thaleikis