High severity8.8NVD Advisory· Published Aug 2, 2024· Updated Apr 15, 2026
CVE-2024-3238
CVE-2024-3238
Description
The WordPress Menu Plugin — Superfly Responsive Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.29. This is due to missing or incorrect nonce validation on the ajax_handle_delete_icons() function. This makes it possible for unauthenticated attackers to delete arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Please not the CSRF was patched in 5.0.28, however, adequate directory traversal protection wasn't introduced until 5.0.30.
Affected products
2<=5.0.30+ 1 more
- (no CPE)range: <=5.0.30
- (no CPE)range: <=5.0.29
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.