Vulnerabilities and security researches forconditional-menus conditional-menus

Jun 07, 2024

CVE, Research URL: CVE-2023-2654
Home page URL: Security reports for Conditional Menus
Application: Conditional Menus
Date: Jun 19, 2023
Research Description: The Conditional Menus WordPress plugin before 1.2.1 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Affected versions: max 1.2.1.
Status: vulnerable

Apr 14, 2026

CVE, Research URL: CVE-2026-1032
Home page URL: Security reports for Conditional Menus
Application: Conditional Menus
Date: Mar 26, 2026
Research Description: The Conditional Menus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.6. This is due to missing nonce validation on the 'save_options' function. This makes it possible for unauthenticated attackers to modify conditional menu assignments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 1.2.7.
Status: vulnerable