Description
The WordPress Mega Menu – QuadMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the ajax_dismiss_notice() function. This makes it possible for unauthenticated attackers to update any user meta to a value of one, including wp_capabilities which could result in a privilege deescalation of an administrator, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-04-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Deescalation via Cross‑Site Request Forgery
Action: Immediate Patch
AI Analysis

Impact

The vulnerable version of the WordPress Mega Menu – QuadMenu plugin lacks proper nonce validation in its ajax_dismiss_notice handler. Because unauthenticated users can call this endpoint with a forged request, they can set any user meta field to the value one. When the wp_capabilities meta is updated, an administrator’s role can be downgraded, effectively removing administrative rights and compromising site security. This constitutes a privilege deescalation flaw that can be exploited only after convincing a legitimate administrator to perform a specific action such as clicking a malicious link.

Affected Systems

The affected product is QuadMenu – Mega Menu from quadlayers, in all releases up to and including version 3.2.0. Upgrade to 3.2.1 or later is required to eliminate the flaw.

Risk and Exploitability

The CVSS score of 4.3 and an EPSS below 1% indicate a low severity but also a very small chance that the attack will be observed in the wild. With no listing in the CISA KEV catalog, the vulnerability is not known to be actively exploited. An attacker can still use social engineering to trick an administrator into executing the forged Ajax call, but the overall risk remains modest compared to higher‑impact flaws.

Generated by OpenCVE AI on April 22, 2026 at 17:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the QuadMenu plugin to version 3.2.1 or later where the nonce check is restored in ajax_dismiss_notice.
  • If an update is not immediately available, remove or restrict access to the ajax_dismiss_notice endpoint, for example by disabling the related feature or using a firewall rule to block unauthenticated requests to that URL.
  • Review and enforce WordPress security best practices by ensuring that all Ajax requests use valid nonces and that user capability changes are logged to detect unauthorized modifications.

Generated by OpenCVE AI on April 22, 2026 at 17:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10839 The WordPress Mega Menu – QuadMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the ajax_dismiss_notice() function. This makes it possible for unauthenticated attackers to update any user meta to a value of one, including wp_capabilities which could result in a privilege deescalation of an administrator, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 14 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 12 Apr 2025 03:45:00 +0000

Type Values Removed Values Added
Description The WordPress Mega Menu – QuadMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the ajax_dismiss_notice() function. This makes it possible for unauthenticated attackers to update any user meta to a value of one, including wp_capabilities which could result in a privilege deescalation of an administrator, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title WordPress Mega Menu – QuadMenu <= 3.2.0 - Cross-Site Request Forgery to Limited User Meta Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:38:17.495Z

Reserved: 2025-03-27T13:52:24.613Z

Link: CVE-2025-2871

cve-icon Vulnrichment

Updated: 2025-04-14T16:27:33.865Z

cve-icon NVD

Status : Deferred

Published: 2025-04-12T04:15:39.283

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2871

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:45:22Z

Weaknesses