CVE-2024-13780
📋 TL;DR
The Hero Mega Menu WordPress plugin has an arbitrary file deletion vulnerability that allows unauthenticated attackers to delete any directory on the server. This affects all WordPress sites using the plugin up to version 1.16.5. Attackers can exploit this without any authentication or special privileges.
💻 Affected Systems
- Hero Mega Menu - Responsive WordPress Menu Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete website destruction by deleting WordPress core files, leading to total service disruption and potential data loss if backups are also deleted.
Likely Case
Partial website disruption by deleting critical directories like wp-content/uploads, causing broken functionality and media loss.
If Mitigated
Limited impact if proper file permissions restrict write access to web server user, though some directories may still be vulnerable.
🎯 Exploit Status
The vulnerability is in the hmenu_delete_menu() function which lacks proper path validation, allowing directory traversal attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.16.6 or later
Vendor Advisory: https://codecanyon.net/item/hero-menu-responsive-wordpress-mega-menu-plugin/10324895
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find Hero Mega Menu plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.16.6+ from CodeCanyon and replace plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate hero-menu-responsive-wordpress-mega-menu-plugin
Restrict Plugin Access
linuxAdd .htaccess rules to block access to plugin files
<Files "hmenu*">
Order Allow,Deny
Deny from all
</Files>
🧯 If You Can't Patch
- Remove the plugin entirely from the WordPress installation
- Implement web application firewall rules to block requests to hmenu_delete_menu function
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Hero Mega Menu version. If version is 1.16.5 or lower, you are vulnerable.Check Version:
wp plugin get hero-menu-responsive-wordpress-mega-menu-plugin --field=versionVerify Fix Applied:
After update, confirm plugin version shows 1.16.6 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests containing 'hmenu_delete_menu' in URL or parameters
- File deletion errors in web server logs
- Directory traversal patterns in request logs
Network Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with hmenu_delete_menu action
- Traffic spikes to plugin-specific endpoints
SIEM Query:
source="web_logs" AND ("hmenu_delete_menu" OR "action=hmenu_delete")