CVE-2024-2405: 
WordPress vulnerability analysis and mitigation

The Float menu WordPress plugin before version 6.0.1 contains a Cross-Site Request Forgery (CSRF) vulnerability. The vulnerability was discovered and disclosed on April 11, 2024, and was assigned identifier CVE-2024-2405. The vulnerability affects the bulk actions functionality in the Float menu WordPress plugin (WPScan, NVD).

The vulnerability stems from the absence of CSRF protection in the plugin's bulk actions feature. This security flaw has been assigned a CVSS v3.1 Base Score of 4.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, high privileges required, and user interaction needed (CISA-ADP).

If successfully exploited, this vulnerability allows attackers to trick authenticated administrators into deleting arbitrary menus through a CSRF attack. The impact is limited to menu deletion functionality but could affect site navigation and user experience (WPScan).

The vulnerability has been patched in version 6.0.1 of the Float menu WordPress plugin. Site administrators are advised to update to this version or later to protect against potential CSRF attacks (WPScan).