CVE-2025-24692: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in Michael Revellin-Clerc's Bulk Menu Edit WordPress plugin affecting versions up to 1.3. The vulnerability was disclosed on January 29, 2025, and allows exploiting incorrectly configured access control security levels (Patchstack, NVD).

The vulnerability is classified as a Broken Access Control issue, which refers to missing authorization, authentication or nonce token checks in certain functions. This allows unprivileged users to execute higher privileged actions. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H and is tracked as CWE-862 (Missing Authorization) (Patchstack).

The vulnerability allows subscriber-level users to perform unauthorized actions that should be restricted to users with higher privilege levels. This could potentially lead to unauthorized modifications of menu settings and compromise of site functionality (Patchstack).

Users are advised to update to version 1.3.1 or later which contains the fix for this vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).