Vulnerabilities and security researches forquadmenu quadmenu

Jun 07, 2024

CVE, Research URL: fb06d5d6f0e1d283dcf005ac94f52eaa0d2b6fdb
Home page URL: Security reports for WordPress Mega Menu – QuadMenu
Application: WordPress Mega Menu – QuadMenu
Date: Feb 22, 2021
Research Description: WordPress Mega Menu – QuadMenu [quadmenu] < 2.0.7 WordPress QuadMenu plugin <= 2.0.6 - Remote Code Execution (RCE) vulnerability Remote Code Execution (RCE) vulnerability found by Mikel Gorraiz in WordPress QuadMenu plugin (versions <= 2.0.6).
Affected versions: Min -, max -.
Status: vulnerable

Oct 18, 2024

CVE, Research URL: CVE-2021-4443
Home page URL: Security reports for WordPress Mega Menu – QuadMenu
Application: WordPress Mega Menu – QuadMenu
Date: Oct 16, 2024
Research Description: The WordPress Mega Menu plugin for WordPress is vulnerable to Arbitrary File Creation in versions up to, and including, 2.0.6 via the compiler_save AJAX action. This makes it possible for unauthenticated attackers to create arbitrary PHP files that can be used to execute malicious code.
Affected versions: Min -, max -.
Status: vulnerable

Apr 14, 2025

CVE, Research URL: CVE-2025-2871
Home page URL: Security reports for WordPress Mega Menu – QuadMenu
Application: WordPress Mega Menu – QuadMenu
Date: Apr 12, 2025
Research Description: The WordPress Mega Menu – QuadMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the ajax_dismiss_notice() function. This makes it possible for unauthenticated attackers to update any user meta to a value of one, including wp_capabilities which could result in a privilege deescalation of an administrator, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable