CVE-2024-49333

High

Published: 21 January 2025

Published

21 January 2025

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0022 44.9th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Hero Mega Menu - Responsive WordPress Menu Plugin allows SQL Injection. This issue affects Hero Mega Menu - Responsive WordPress Menu Plugin: from n/a through 1.16.5.

Security Summary

CVE-2024-49333 is an SQL Injection vulnerability (CWE-89), resulting from improper neutralization of special elements used in an SQL command. It affects the Hero Mega Menu - Responsive WordPress Menu Plugin in all versions from n/a through 1.16.5.

The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L). Low-privileged authenticated users, such as WordPress contributors, can exploit it remotely with low complexity and no user interaction required. Exploitation enables high confidentiality impact, potentially allowing data extraction across the changed scope, alongside low availability disruption.

Patchstack advisories document the issue and provide details on the vulnerability; see https://patchstack.com/database/wordpress/plugin/hmenu/vulnerability/wordpress-hero-menu-plugin-1-16-5-sql-injection-vulnerability-2?_s_id=cve for mitigation recommendations.

Details

CWE(s): CWE-89

References

https://patchstack.com/database/wordpress/plugin/hmenu/vulnerability/wordpress-hero-menu-plugin-1-16-5-sql-injection-vulnerability-2?_s_id=cve
audit@patchstack.com