CVE-2021-24162
HIGHResponsive Menu < 4.0.4 - Cross-Site Request Forgery via Settings Import
Title source: llmDescription
In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in further infection of the site.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.wordfence.com/blog/2021/02/multiple-vulnerabilities-patched-in-responsive-menu-plugin/
Exploit, Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/923fc3a3-4bcc-4b48-870a-6150e14509b5
Scores
CVSS v3
8.8
EPSS
0.0080
EPSS Percentile
52.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (1)
expresstech/responsive_menu
< 4.0.4 (2 CPE variants)
Published
Apr 05, 2021
Tracked Since
Feb 18, 2026