CVE-2024-7894 (GCVE-0-2024-7894)
Vulnerability from cvelistv5 – Published: 2024-12-07 01:45 – Updated: 2026-04-08 17:35
VLAI
Title
If Menu <= 0.19.1 - Missing Authorization to License Key Update
Summary
The If Menu plugin for WordPress is vulnerable to unauthorized modification of the plugin's license key due to a missing capability check on the 'actions' function in versions up to, and including, 0.19.1. This makes it possible for unauthenticated attackers to modify delete or modify the license key.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| andreiigna | If Menu – Visibility control for Menus |
Affected:
0 , ≤ 0.19.1
(semver)
|
|
| andreiigna | if_menu |
Affected:
0 , ≤ 0.19.1
(semver)
cpe:2.3:a:andreiigna:if_menu:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:andreiigna:if_menu:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "if_menu",
"vendor": "andreiigna",
"versions": [
{
"lessThanOrEqual": "0.19.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7894",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T22:10:03.919940Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T16:12:53.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "If Menu \u2013 Visibility control for Menus",
"vendor": "andreiigna",
"versions": [
{
"lessThanOrEqual": "0.19.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The If Menu plugin for WordPress is vulnerable to unauthorized modification of the plugin\u0027s license key due to a missing capability check on the \u0027actions\u0027 function in versions up to, and including, 0.19.1. This makes it possible for unauthenticated attackers to modify delete or modify the license key."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:35:20.288Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ff6ebf45-4617-44dd-94d8-28aa8bc1609b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/if-menu/trunk/src/Admin.php#L16"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3203054%40if-menu\u0026new=3203054%40if-menu\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2023-10-12T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-12-06T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "If Menu \u003c= 0.19.1 - Missing Authorization to License Key Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7894",
"datePublished": "2024-12-07T01:45:53.438Z",
"dateReserved": "2024-08-16T19:31:50.212Z",
"dateUpdated": "2026-04-08T17:35:20.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-7894",
"date": "2026-06-29",
"epss": "0.00349",
"percentile": "0.26806"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"The If Menu plugin for WordPress is vulnerable to unauthorized modification of the plugin\u0027s license key due to a missing capability check on the \u0027actions\u0027 function in versions up to, and including, 0.19.1. This makes it possible for unauthenticated attackers to modify delete or modify the license key.\"}, {\"lang\": \"es\", \"value\": \"El complemento If Menu para WordPress es vulnerable a la modificaci\\u00f3n no autorizada de la clave de licencia del complemento debido a la falta de una comprobaci\\u00f3n de capacidad en la funci\\u00f3n \\\"acciones\\\" en versiones hasta la 0.19.1 incluida. Esto hace posible que atacantes no autenticados modifiquen, eliminen o modifiquen la clave de licencia.\"}]",
"id": "CVE-2024-7894",
"lastModified": "2024-12-07T02:15:19.323",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security@wordfence.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}",
"published": "2024-12-07T02:15:19.323",
"references": "[{\"url\": \"https://plugins.trac.wordpress.org/browser/if-menu/trunk/src/Admin.php#L16\", \"source\": \"security@wordfence.com\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3203054%40if-menu\u0026new=3203054%40if-menu\u0026sfp_email=\u0026sfph_mail=\", \"source\": \"security@wordfence.com\"}, {\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/ff6ebf45-4617-44dd-94d8-28aa8bc1609b?source=cve\", \"source\": \"security@wordfence.com\"}]",
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security@wordfence.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-7894\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2024-12-07T02:15:19.323\",\"lastModified\":\"2026-06-17T08:21:08.097\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The If Menu plugin for WordPress is vulnerable to unauthorized modification of the plugin\u0027s license key due to a missing capability check on the \u0027actions\u0027 function in versions up to, and including, 0.19.1. This makes it possible for unauthenticated attackers to modify delete or modify the license key.\"},{\"lang\":\"es\",\"value\":\"El complemento If Menu para WordPress es vulnerable a la modificaci\u00f3n no autorizada de la clave de licencia del complemento debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n \\\"acciones\\\" en versiones hasta la 0.19.1 incluida. Esto hace posible que atacantes no autenticados modifiquen, eliminen o modifiquen la clave de licencia.\"}],\"affected\":[{\"source\":\"security@wordfence.com\",\"affectedData\":[{\"vendor\":\"andreiigna\",\"product\":\"If Menu \u2013 Visibility control for Menus\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"0.19.1\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"affectedData\":[{\"vendor\":\"andreiigna\",\"product\":\"if_menu\",\"defaultStatus\":\"unknown\",\"cpes\":[\"cpe:2.3:a:andreiigna:if_menu:*:*:*:*:*:*:*:*\"],\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"0.19.1\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2024-12-09T22:10:03.919940Z\",\"id\":\"CVE-2024-7894\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/if-menu/trunk/src/Admin.php#L16\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3203054%40if-menu\u0026new=3203054%40if-menu\u0026sfp_email=\u0026sfph_mail=\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/ff6ebf45-4617-44dd-94d8-28aa8bc1609b?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-7894\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-09T22:10:03.919940Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:andreiigna:if_menu:*:*:*:*:*:*:*:*\"], \"vendor\": \"andreiigna\", \"product\": \"if_menu\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"0.19.1\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-10T16:12:39.706Z\"}}], \"cna\": {\"title\": \"If Menu \u003c= 0.19.1 - Missing Authorization to License Key Update\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Marco Wotschka\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"andreiigna\", \"product\": \"If Menu \\u2013 Visibility control for Menus\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"0.19.1\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2023-10-12T00:00:00.000Z\", \"value\": \"Discovered\"}, {\"lang\": \"en\", \"time\": \"2024-12-06T00:00:00.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/ff6ebf45-4617-44dd-94d8-28aa8bc1609b?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/if-menu/trunk/src/Admin.php#L16\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3203054%40if-menu\u0026new=3203054%40if-menu\u0026sfp_email=\u0026sfph_mail=\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The If Menu plugin for WordPress is vulnerable to unauthorized modification of the plugin\u0027s license key due to a missing capability check on the \u0027actions\u0027 function in versions up to, and including, 0.19.1. This makes it possible for unauthenticated attackers to modify delete or modify the license key.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2024-12-07T01:45:53.438Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-7894\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-10T16:12:53.573Z\", \"dateReserved\": \"2024-08-16T19:31:50.212Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2024-12-07T01:45:53.438Z\", \"assignerShortName\": \"Wordfence\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…