CVE-2025-24724

This Cross-Site Request Forgery (CSRF) vulnerability affects the Side Menu Lite WordPress plugin (side-menu-lite) from Wow-Company, up to version 5.3.1. The root cause is a missing or insufficient nonce validation on settings-change endpoints, which allows an attacker to forge requests on behalf of an authenticated administrator.

To exploit this flaw, an attacker must convince a logged-in user with administrative privileges to click a crafted link, visit a malicious page, or submit a form. No additional authentication is required beyond the victim's session. The attack does not require direct network access to the target server — it can be delivered via email, social engineering, or other web-based vectors.

Successful exploitation could force the victim's browser to perform unauthorized actions, such as modifying plugin settings (e.g., changing menu appearance or behavior). While the CVSS v3 score is 5.4 (Medium), the vendor and Patchstack note that the overall impact is low and mass exploitation is unlikely without social engineering.

The vulnerability is patched in version 5.3.2. Users are strongly advised to update immediately. For sites that cannot update, enabling auto-updates for vulnerable plugins (e.g., via Patchstack) is recommended. As noted in reference [1], this is not currently listed on CISA's Known Exploited Vulnerabilities catalog.