CVE-2024-49303: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2024-49303) was discovered in the Hero Mega Menu - Responsive WordPress Menu Plugin affecting versions through 1.16.5. The vulnerability was initially reported by researcher Bonds on September 22, 2024, and was publicly disclosed on January 3, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) with CWE-89. It received a CVSS v3.1 Base Score of 8.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L. The vulnerability requires Subscriber or higher privileges to exploit (Patchstack).

This vulnerability is considered highly dangerous and expected to become mass exploited. It could allow malicious actors with subscriber-level access to directly interact with the database, potentially leading to unauthorized data access and information theft (Patchstack).

As of January 2025, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately or consider alternative menu plugins (Patchstack).