CVE-2024-54381

Vulnerability

An authorization flaw exists in the Dotstore Advance Menu Manager plugin for WordPress. Versions ≤ 3.1.1 (including the Pro variant) fail to properly enforce access controls on certain server‑side functions, exposing them to any authenticated user regardless of capability [1]. The plugin, designed to simplify complex navigation editing in content‑heavy sites, registers AJAX handlers and REST endpoints that should be restricted to administrators but are callable by subscribers or editors [1].

Exploitation

An attacker needs only a valid WordPress user account with the lowest ‘Subscriber’ role, which can be self‑created on sites permitting registration. By sending crafted requests to the vulnerable endpoints (e.g., adding menu items, modifying menu structure, or locking/unlocking menus), the attacker can execute arbitrary menu operations without the intended manage_options or edit_theme_options capability checks [1]. No additional user interaction beyond being logged in is required.

Impact

A successful exploit lets an unprivileged attacker manipulate the site’s navigation menus: add, edit, delete, reorder, lock, or unlock any menu. In content‑heavy installations this can lead to defacement, phishing links injected into menus, broken navigation, or denial of service for legitimate editors who cannot unlock menus. There is no evidence of arbitrary file access or remote code execution, but the integrity and availability of the menu system are fully compromised [1].

Mitigation

The vendor published version 3.1.3 (or later) which implements proper capability checks. Users must update Advance Menu Manager to at least version 3.1.3 via the WordPress plugin updater or by downloading the latest release from the plugin repository [1]. There is no known workaround for versions ≤ 3.1.1. The plugin’s free version is also affected and should be updated. No CISA‑KEV listing exists for this CVE.