CVE-2025-24692
Published: 14 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-24692 is a missing authorization vulnerability (CWE-862) in the Bulk Menu Edit WordPress plugin (bulk-menu-edit) by M.Code. The issue stems from exploiting incorrectly configured access control security levels and affects all versions from n/a through 1.3 inclusive. Published on 2025-02-14, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
An attacker requires low privileges (PR:L), such as those of an authenticated WordPress user, to exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables low impact to integrity (I:L) and high impact to availability (A:H), with no confidentiality impact (C:N), in an unchanged scope (S:U).
Patchstack provides details on this broken access control vulnerability specific to Bulk Menu Edit plugin version 1.3. Refer to https://patchstack.com/database/Wordpress/Plugin/bulk-menu-edit/vulnerability/wordpress-bulk-menu-edit-plugin-1-3-broken-access-control-vulnerability?_s_id=cve for advisory information, including recommended mitigations and patches.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a broken access control vulnerability in a publicly accessible WordPress plugin, directly enabling exploitation of a public-facing web application over the network by an authenticated low-privilege user.