CVE-2024-7894: If Menu <= 0.19.1 - Missing Authorization to License Key Update

5.3 CVSS

Description

The If Menu plugin for WordPress is vulnerable to unauthorized modification of the plugin's license key due to a missing capability check on the 'actions' function in versions up to, and including, 0.19.1. This makes it possible for unauthenticated attackers to modify delete or modify the license key.

Classification

CVE ID: CVE-2024-7894

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

Affected Products

Vendor: andreiigna

Product: If Menu – Visibility control for Menus

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 23.36% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/ff6ebf45-4617-44dd-94d8-28aa8bc1609b?source=cve
https://plugins.trac.wordpress.org/browser/if-menu/trunk/src/Admin.php#L16
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3203054%40if-menu&new=3203054%40if-menu&sfp_email=&sfph_mail=

Timeline

2024-12-11 00:31:13 UTC
CVE

If Menu <= 0.19.1 - Missing Authorization to License Key Update