WordPress Plugin Vulnerabilities

ThemeHunk <= 1.1.2- Missing Authorization

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on a function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
themehunk-megamenu-plus
No known fix

References

CVE
CVE-2025-30990
URL
https://patchstack.com/database/wordpress/plugin/themehunk-megamenu-plus/vulnerability/wordpress-themehunk-1-1-1-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
domiee13
Verified
No
WPVDB ID
85af406a-ae1f-48e8-b666-f00ecadafb4a

Timeline

Publicly Published
2025-06-05 (about 1 year ago)
Added
2025-06-10 (about 1 year ago)
Last Updated
2025-06-26 (about 11 months ago)

Other

Published
Title
Published
2026-02-17
Title
Business Directory Plugin < 6.4.21 - Missing Authorization to Unauthenticated Arbitrary Listing Modification
Published
2024-01-31
Title
WooCommerce Conversion Tracking < 2.0.12 - Subscriber+ Addon Installation
Published
2026-04-23
Title
HubSpot All-In-One Marketing - Forms, Popups, Live Chat < 11.3.33 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure
Published
2025-02-21
Title
Residential Address Detection < 2.5.5 - Unauthenticated Arbitrary Options Update
Published
2024-07-18
Title
YITH Essential Kit for WooCommerce #1 < 2.35.0 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install, Activation, and Deactivation