CVE-2024-49303

High

Published: 21 January 2025

Published

21 January 2025

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0022 44.9th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Hero Mega Menu - Responsive WordPress Menu Plugin allows SQL Injection. This issue affects Hero Mega Menu - Responsive WordPress Menu Plugin: from n/a through 1.16.5.

Security Summary

CVE-2024-49303 is an SQL Injection vulnerability (CWE-89) caused by improper neutralization of special elements used in an SQL command. It affects the Hero Mega Menu - Responsive WordPress Menu Plugin in all versions from n/a through 1.16.5.

The vulnerability can be exploited by low-privileged authenticated users (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Exploitation changes scope (S:C), resulting in high confidentiality impact (C:H) such as potential database data extraction, no integrity impact (I:N), and low availability impact (A:L). The CVSS v3.1 base score is 8.5.

Mitigation details are available in advisories such as the Patchstack database entry at https://patchstack.com/database/wordpress/plugin/hmenu/vulnerability/wordpress-hero-menu-plugin-1-16-5-sql-injection-vulnerability?_s_id=cve.

Details

CWE(s): CWE-89

References

https://patchstack.com/database/wordpress/plugin/hmenu/vulnerability/wordpress-hero-menu-plugin-1-16-5-sql-injection-vulnerability?_s_id=cve
audit@patchstack.com