{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2871", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-27T13:52:24.613Z", "datePublished": "2025-04-12T03:21:34.380Z", "dateUpdated": "2026-04-08T16:38:17.495Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:17.495Z"}, "affected": [{"vendor": "quadlayers", "product": "QuadMenu \u2013 Mega Menu", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WordPress Mega Menu \u2013 QuadMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the ajax_dismiss_notice() function. This makes it possible for unauthenticated attackers to update any user meta to a value of one, including wp_capabilities which could result in a privilege deescalation of an administrator, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "WordPress Mega Menu \u2013 QuadMenu <= 3.2.0 - Cross-Site Request Forgery to Limited User Meta Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ba7b675-54d6-4f0e-b60f-1c7fa6ff24ea?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/quadmenu/tags/3.2.0/lib/class-admin.php#L105"}, {"url": "https://plugins.trac.wordpress.org/changeset/3270825/quadmenu/tags/3.2.1/lib/class-admin.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-04-11T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-14T16:27:26.139304Z", "id": "CVE-2025-2871", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T16:29:58.621Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2871", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-14T16:27:26.139304Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T16:27:33.865Z"}}], "cna": {"title": "WordPress Mega Menu \u2013 QuadMenu <= 3.2.0 - Cross-Site Request Forgery to Limited User Meta Update", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "quadlayers", "product": "WordPress Mega Menu \u2013 QuadMenu", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-11T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ba7b675-54d6-4f0e-b60f-1c7fa6ff24ea?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/quadmenu/tags/3.2.0/lib/class-admin.php#L105"}, {"url": "https://plugins.trac.wordpress.org/changeset/3270825/quadmenu/tags/3.2.1/lib/class-admin.php"}], "descriptions": [{"lang": "en", "value": "The WordPress Mega Menu \u2013 QuadMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the ajax_dismiss_notice() function. This makes it possible for unauthenticated attackers to update any user meta to a value of one, including wp_capabilities which could result in a privilege deescalation of an administrator, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-04-12T03:21:34.380Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2871", "state": "PUBLISHED", "dateUpdated": "2025-04-14T16:29:58.621Z", "dateReserved": "2025-03-27T13:52:24.613Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-12T03:21:34.380Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WordPress Mega Menu \u2013 QuadMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the ajax_dismiss_notice() function. This makes it possible for unauthenticated attackers to update any user meta to a value of one, including wp_capabilities which could result in a privilege deescalation of an administrator, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Mega Men\u00fa \u2013 QuadMenu de WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 3.2.0 incluida. Esto se debe a una validaci\u00f3n de nonce inexistente o incorrecta en la funci\u00f3n ajax_dismiss_notice(). Esto permite a atacantes no autenticados actualizar cualquier metadatos de usuario a un valor de uno, incluyendo wp_capabilities, lo que podr\u00eda resultar en la p\u00e9rdida de privilegios de un administrador mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-2871", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-12T04:15:39.283", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quadmenu/tags/3.2.0/lib/class-admin.php#L105"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3270825/quadmenu/tags/3.2.1/lib/class-admin.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ba7b675-54d6-4f0e-b60f-1c7fa6ff24ea?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:33:02.803966+00:00", "value": {"mitigation_remediation": ["Update the QuadMenu plugin to version 3.2.1 or later where the nonce check is restored in ajax_dismiss_notice.", "If an update is not immediately available, remove or restrict access to the ajax_dismiss_notice endpoint, for example by disabling the related feature or using a firewall rule to block unauthenticated requests to that URL.", "Review and enforce WordPress security best practices by ensuring that all Ajax requests use valid nonces and that user capability changes are logged to detect unauthorized modifications."], "summary": {"action": "Immediate Patch", "impact": "Privilege Deescalation via Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The affected product is QuadMenu \u2013 Mega Menu from quadlayers, in all releases up to and including version 3.2.0. Upgrade to 3.2.1 or later is required to eliminate the flaw.", "description_and_impact": "The vulnerable version of the WordPress Mega Menu \u2013 QuadMenu plugin lacks proper nonce validation in its ajax_dismiss_notice handler. Because unauthenticated users can call this endpoint with a forged request, they can set any user meta field to the value one. When the wp_capabilities meta is updated, an administrator\u2019s role can be downgraded, effectively removing administrative rights and compromising site security. This constitutes a privilege deescalation flaw that can be exploited only after convincing a legitimate administrator to perform a specific action such as clicking a malicious link.", "risk_and_exploitability": "The CVSS score of 4.3 and an EPSS below 1% indicate a low severity but also a very small chance that the attack will be observed in the wild. With no listing in the CISA KEV catalog, the vulnerability is not known to be actively exploited. An attacker can still use social engineering to trick an administrator into executing the forged Ajax call, but the overall risk remains modest compared to higher\u2011impact flaws."}}}}, "created": "2026-04-22T17:45:22.918664+00:00", "updated": "2026-04-22T17:45:22.918675+00:00", "vendors": []}