CVE-2024-2405 – Float menu < 6.0.1 - Menu Deletion via CSRF

https://notcve.org/view.php?id=CVE-2024-2405

The Float menu WordPress plugin before 6.0.1 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack. El complemento Float menu de WordPress anterior a 6.0.1 no tiene verificación CSRF en sus acciones masivas, lo que podría permitir a los atacantes hacer que el administrador registrado elimine un menú arbitrario a través de un ataque CSRF. The Float menu – awesome floating side menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing or incorrect nonce validation on the float-menu function. This makes it possible for unauthenticated attackers to delete menu items via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/c42ffa15-6ebe-4c70-9e51-b95bd05ea04d • CWE-352: Cross-Site Request Forgery (CSRF) •