CVE-2024-7894: 
WordPress vulnerability analysis and mitigation

The If Menu plugin for WordPress contains a vulnerability (CVE-2024-7894) discovered and disclosed on December 6, 2024. The vulnerability affects versions up to and including 0.19.1 of the plugin. The issue stems from a missing capability check on the 'actions' function, which creates a security weakness in the plugin's license key management system (NVD).

The vulnerability is classified as a Missing Authorization issue (CWE-862) and has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The technical root cause is attributed to a missing capability check in the plugin's 'actions' function, which fails to properly validate user permissions before allowing license key modifications (Wordfence).

The vulnerability allows unauthenticated attackers to modify or delete the plugin's license key. This unauthorized access to license key management could potentially affect the plugin's functionality and licensing status (NVD).

Website administrators running the If Menu plugin should update to a version newer than 0.19.1 as soon as it becomes available. The vulnerability has been identified in the plugin's source code at the Admin.php file (WordPress Plugin).