CVE-2024-2962: 
WordPress vulnerability analysis and mitigation

The Networker - Tech News WordPress Theme with Dark Mode for WordPress contains a vulnerability (CVE-2024-2962) that allows unauthorized modification of data due to a missing capability check in the admin_reload_nav_menu() function in versions up to and including 1.1.9. The vulnerability was discovered by Muhammad Zeeshan (Xib3rR4dAr) and was disclosed on March 26, 2024 (Wordfence).

The vulnerability exists in the networker/inc/mega-menu.php file at line 86, where the theme incorrectly exposes the csco_reload_menu AJAX action to unauthenticated users through the wp_ajax_nopriv_csco_reload_menu hook. This implementation allows unauthorized access to the admin_reload_nav_menu() function. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (Github PoC).

The vulnerability allows unauthenticated attackers to modify the location of display menus on affected WordPress sites. Attackers can manipulate menu visibility by marking menus as footer items or removing them from the primary navigation, effectively controlling the display location of any menu on the website (Github PoC).

The recommended fix is to remove the wp_ajax_nopriv_csco_reload_menu action hook from line 86 of wp-content/themes/networker/inc/mega-menu.php to prevent unauthenticated access to the admin_reload_nav_menu function. Site administrators should update to a patched version if available or implement the suggested code modification (Github PoC).