CVE-2025-24692
Description
Missing authorization in Bulk Menu Edit plugin allows unauthorized users to modify menu items, fixed in version 1.3.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in Bulk Menu Edit plugin allows unauthorized users to modify menu items, fixed in version 1.3.1.
Vulnerability
The Bulk Menu Edit plugin for WordPress (versions through 1.3) contains a missing authorization vulnerability. The plugin fails to perform capability checks for menu operations, allowing any authenticated user to modify menu items without proper permissions. This affects versions from n/a through 1.3 as specified in the CVE description [1].
Exploitation
An attacker with any level of WordPress authentication (e.g., subscriber) can exploit this by sending crafted requests to the plugin's AJAX handlers, which lack nonce verification and capability checks in affected versions. The attacker can manipulate menu items via the plugin's functionality without needing administrator privileges [1].
Impact
Successful exploitation allows an attacker to arbitrarily add, remove, or modify menu items, potentially redirecting users to malicious sites or disrupting site navigation. This compromises the integrity of the WordPress site and could be used for phishing or defacement attacks [1].
Mitigation
The vulnerability is fixed in version 1.3.1 of the Bulk Menu Edit plugin, released on 2025-01-21. Users should update to version 1.3.1 or later immediately. The changelog confirms that capability checks and nonce verification were added to address this issue [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.3+ 1 more
- (no CPE)range: <=1.3
- (no CPE)range: <=1.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.