CVE-2021-4443

CRITICAL EXPLOITED

WordPress Mega Menu - QuadMenu <= 2.0.6 - Unauthenticated Arbitrary File Creation via compiler_save AJAX Action

Title source: llm

Exploitation Summary

CVE-2021-4443 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The WordPress Mega Menu plugin for WordPress is vulnerable to Arbitrary File Creation in versions up to, and including, 2.0.6 via the compiler_save AJAX action. This makes it possible for unauthenticated attackers to create arbitrary PHP files that can be used to execute malicious code.

References (3)

Core 3

Core References

Various Sources

https://sh3llcon.org/la-debilidad-de-wordpress/

Various Sources

https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wordpress-mega-menu-quadmenu-remote-code-execution-2-0-6/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/04003542-fd62-4587-9834-70e7fe8f08ef?source=cve

Scores

CVSS v3 9.8

EPSS 0.0066

EPSS Percentile 46.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-10-15

CWE

CWE-434

Status published

Products (2)

quadlayers/QuadMenu – Mega Menu < 2.0.6

quadlayers/WordPress Mega Menu – QuadMenu < 2.0.6

Published Oct 16, 2024

Tracked Since Feb 18, 2026