CVE-2025-24714

The Bubble Menu – circle floating menu WordPress plugin, versions up to and including 4.0.2, contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This stems from insufficient request validation, allowing a malicious actor to trick an authenticated user with higher privileges into performing unintended actions on their behalf. The vulnerability does not require direct authentication but relies on user interaction to succeed.

A successful CSRF attack involves an attacker crafting a malicious link or form that, when visited or submitted by an authenticated administrator or editor, performs state-changing operations in the plugin's context [1]. The prerequisite is that the victim must have an active session in the WordPress dashboard. The attack does not require any special network position; it can be delivered via email, social engineering, or by embedding the malicious payload on a compromised website.

The impact is that an attacker can force privileged users to change plugin settings, modify configurations, or execute other actions under their authentication [1]. While the CVSS score of 5.4 indicates medium severity, such vulnerabilities are commonly used in mass-exploit campaigns targeting thousands of sites regardless of popularity.

The vendor has released version 4.0.3 which patches the CSRF vulnerability [1]. Users are advised to update immediately. For those who cannot update, contacting the hosting provider or a web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins.