CVE-2024-2962

Vulnerability

Description

The Networker WordPress theme, version 1.1.9 and earlier, contains an improper access control vulnerability in the admin_reload_nav_menu() function, which is registered to handle AJAX requests via the wp_ajax_nopriv_ hook [1][2]. This omission means no authentication or authorization check is performed before executing the function, allowing unauthenticated users to invoke it [1]. The vulnerable endpoint is /wp-admin/admin-ajax.php with the action parameter csco_reload_menu [1].

Attack

Vector

An attacker can exploit this flaw by sending a crafted POST or GET request to the vulnerable endpoint, providing parameters such as menu_id, menu_name (which specifies a menu location name like primary or footer), and menu_checked (value 0 or 1) to enable or disable the menu's display at that location [1]. No prior authentication or special privileges are required, and the attack can be carried out over HTTP [1].

Impact

By manipulating the menu_checked parameter, an unauthenticated attacker can arbitrarily assign or remove menus from designated display areas (e.g., primary navigation, footer). This allows an attacker to hide legitimate menus from the site's frontend or reveal hidden menus, potentially altering site navigation and user experience [1]. The impact is limited to modifying menu location assignments; other menu data or content is not directly affected.

Mitigation

At the time of disclosure, version 1.1.9 was the latest release, and no official patch was available [1]. The recommended fix is to remove or restrict the wp_ajax_nopriv_csco_reload_menu action hook in the theme's mega-menu.php file so that the function is only accessible to authenticated users with proper capabilities [2]. Site administrators should apply this code change as a workaround.