WordPress Plugin Vulnerabilities

Different Menu in Different Pages < 2.4.0 - Subscriber+ Menu Duplication

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on the ajax() function, allowing authenticated attackers, with subscriber-level access and above, to duplicate menus.

Affects Plugins

Plugin icon
different-menus-in-different-pages
Fixed in 2.4.0

References

CVE
CVE-2024-3206
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1f9d4d86-9d5f-4888-9cc4-d55c117ae4ea

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
da991bfd-828b-4e11-8e48-9de3118b2053

Timeline

Publicly Published
2024-04-29 (about 2 years ago)
Added
2024-04-29 (about 2 years ago)
Last Updated
2024-08-12 (about 1 year ago)

Other

Published
Title
Published
2023-02-28
Title
WP Shamsi <= 4.3.3 - Subscriber+ Attachment Deletion
Published
2026-05-15
Title
Multicollab: Content Team Collaboration and Editorial Workflow < 5.3 - Missing Authorization to Authenticated (Subscriber+) Collaboration Comment
Published
2025-07-18
Title
Vchasno Kasa < 1.0.4 - Unauthenticated Log File Clearing
Published
2026-05-27
Title
SMTP2GO for WordPress < 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Log Read/Truncate
Published
2026-01-08
Title
Campaign Monitor for WordPress < 2.9.2 - Missing Authorization