WordPress Plugin Vulnerabilities

Advanced Menu Manager < 3.0.7 - Unauthorised Menu Creation/Deletion

Description

The plugin is lacking any capability and CSRF checks in its my_action_delete_menu and my_action_create_menu_ajax AJAX actions, allowing any authenticated users (such as subscriber) to call them. Such attack could also be performed via a CSRF vector against any logged in user.

Note: v3.0.7 added CSRF checks only (with nonce only available to admins), however capability checks are still missing

Proof of Concept

Affects Plugins

Plugin icon
advance-menu-manager
Fixed in 3.0.7

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
9146b003-6767-42e1-ae59-bbef4e8f9639

Timeline

Publicly Published
2021-07-12 (about 4 years ago)
Added
2021-07-12 (about 4 years ago)
Last Updated
2023-11-10 (about 2 years ago)

Other

Published
Title
Published
2021-12-29
Title
Orange Form <= 1.0.1 - Unauthenticated Arbitrary Post Deletion
Published
2022-01-05
Title
SupportCandy < 2.2.5 - Unauthenticated Arbitrary Ticket Deletion
Published
2022-06-28
Title
Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update
Published
2022-09-19
Title
Memberpress Downloads < 1.2.6 - Subscriber+ Arbitrary File Upload
Published
2024-06-14
Title
AIomatic - Automatic AI Content Writer < 2.0.6 - Unauthenticated Arbitrary Email Sending