CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-13780: Hero Mega Menu - Responsive WordPress Menu Plugin <= 1.16.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Directory Deletion

6.5 CVSS

Description

The Hero Mega Menu - Responsive WordPress Menu Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the hmenu_delete_menu() function in all versions up to, and including, 1.16.5. This makes it possible for unauthenticated attackers to delete arbitrary directories on the server.

Classification

CVE ID: CVE-2024-13780

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types

CWE-862 Missing Authorization

Affected Products

Vendor: heroplugins

Product: Hero Mega Menu - Responsive WordPress Menu Plugin

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 8.91% (scored less or equal to compared to others)

EPSS Date: 2025-04-02 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-13780
https://www.wordfence.com/threat-intel/vulnerabilities/id/17872fe4-b566-44ca-8218-3677fb75cb1c?source=cve
https://codecanyon.net/item/hero-menu-responsive-wordpress-mega-menu-plugin/10324895

Timeline

2025-03-05 10:40:25 UTC
CVE

Hero Mega Menu - Responsive WordPress Menu Plugin <= 1.16.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Directory Deletion