Search criteria
3 vulnerabilities found for mega_menu by themehunk
FKIE_CVE-2024-8434
Vulnerability from fkie_nvd - Published: 2024-09-25 03:15 - Updated: 2024-12-17 14:36
Severity ?
Summary
The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform actions like updating plugin settings.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:themehunk:mega_menu:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "49F58642-ED2D-4389-91FF-A752CEAA069D",
"versionEndExcluding": "1.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Mega Menu Plugin for WordPress \u2013 ThemeHunk plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform actions like updating plugin settings."
},
{
"lang": "es",
"value": "El complemento Easy Mega Menu Plugin for WordPress \u2013 ThemeHunk para WordPress, es vulnerable al acceso no autorizado debido a la falta de una comprobaci\u00f3n de capacidad en varias funciones conectadas mediante AJAX en todas las versiones hasta la 1.0.9 incluida. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor y superior, realicen acciones como actualizar la configuraci\u00f3n del complemento."
}
],
"id": "CVE-2024-8434",
"lastModified": "2024-12-17T14:36:19.633",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@wordfence.com",
"type": "Secondary"
}
]
},
"published": "2024-09-25T03:15:04.213",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3156084/themehunk-megamenu-plus/tags/1.1.0/inc/megamenu-base.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3156084/themehunk-megamenu-plus/tags/1.1.0/inc/megamenu-nav-menu-settings.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3156084/themehunk-megamenu-plus/tags/1.1.0/inc/megamenu-setting.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3156084/themehunk-megamenu-plus/tags/1.1.0/inc/megamenu-widgets.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be3869a9-f72d-4bbb-ba51-d2761ca761f2?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security@wordfence.com",
"type": "Secondary"
}
]
}
CVE-2024-8434 (GCVE-0-2024-8434)
Vulnerability from cvelistv5 – Published: 2024-09-25 02:05 – Updated: 2024-09-25 13:30
VLAI?
Title
Easy Mega Menu Plugin for WordPress – ThemeHunk <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Settings Updates
Summary
The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform actions like updating plugin settings.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| themehunk | Easy Mega Menu Plugin for WordPress – ThemeHunk |
Affected:
* , ≤ 1.0.9
(semver)
|
Credits
Lucio Sá
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8434",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T13:12:20.340483Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T13:30:29.959Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Mega Menu Plugin for WordPress \u2013 ThemeHunk",
"vendor": "themehunk",
"versions": [
{
"lessThanOrEqual": "1.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Mega Menu Plugin for WordPress \u2013 ThemeHunk plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform actions like updating plugin settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T02:05:23.562Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be3869a9-f72d-4bbb-ba51-d2761ca761f2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3156084/themehunk-megamenu-plus/tags/1.1.0/inc/megamenu-base.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3156084/themehunk-megamenu-plus/tags/1.1.0/inc/megamenu-setting.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3156084/themehunk-megamenu-plus/tags/1.1.0/inc/megamenu-nav-menu-settings.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3156084/themehunk-megamenu-plus/tags/1.1.0/inc/megamenu-widgets.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-24T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Easy Mega Menu Plugin for WordPress \u2013 ThemeHunk \u003c= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Settings Updates"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8434",
"datePublished": "2024-09-25T02:05:23.562Z",
"dateReserved": "2024-09-04T16:01:56.846Z",
"dateUpdated": "2024-09-25T13:30:29.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8434 (GCVE-0-2024-8434)
Vulnerability from nvd – Published: 2024-09-25 02:05 – Updated: 2024-09-25 13:30
VLAI?
Title
Easy Mega Menu Plugin for WordPress – ThemeHunk <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Settings Updates
Summary
The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform actions like updating plugin settings.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| themehunk | Easy Mega Menu Plugin for WordPress – ThemeHunk |
Affected:
* , ≤ 1.0.9
(semver)
|
Credits
Lucio Sá
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8434",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T13:12:20.340483Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T13:30:29.959Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Mega Menu Plugin for WordPress \u2013 ThemeHunk",
"vendor": "themehunk",
"versions": [
{
"lessThanOrEqual": "1.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Mega Menu Plugin for WordPress \u2013 ThemeHunk plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform actions like updating plugin settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T02:05:23.562Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be3869a9-f72d-4bbb-ba51-d2761ca761f2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3156084/themehunk-megamenu-plus/tags/1.1.0/inc/megamenu-base.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3156084/themehunk-megamenu-plus/tags/1.1.0/inc/megamenu-setting.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3156084/themehunk-megamenu-plus/tags/1.1.0/inc/megamenu-nav-menu-settings.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3156084/themehunk-megamenu-plus/tags/1.1.0/inc/megamenu-widgets.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-24T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Easy Mega Menu Plugin for WordPress \u2013 ThemeHunk \u003c= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Settings Updates"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8434",
"datePublished": "2024-09-25T02:05:23.562Z",
"dateReserved": "2024-09-04T16:01:56.846Z",
"dateUpdated": "2024-09-25T13:30:29.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}