CVE-2024-13780 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Hero Mega Menu - Responsive WordPress Menu Plugin, which is widely used to create responsive menus in WordPress websites. The vulnerability exists in the hmenu_delete_menu() function, where insufficient validation of file paths allows unauthenticated attackers to delete arbitrary directories on the server. This occurs because the plugin fails to properly authorize requests and validate the file paths before performing deletion operations. The affected versions include all versions up to and including 1.16.5. The vulnerability can be exploited remotely without authentication or user interaction, making it easier for attackers to cause damage. The CVSS 3.1 base score is 6.5 (medium severity), reflecting the high impact on availability (A:H) but no impact on confidentiality or integrity. The attack vector is network (AV:N), with low attack complexity (AC:L), and requires low privileges (PR:L), indicating that an attacker with minimal access can exploit the flaw. Although no public exploits are currently known, the vulnerability could be leveraged to delete critical website files or directories, potentially leading to denial of service or site defacement. The lack of patch links suggests that a fix may not yet be available, increasing the urgency for mitigation.

The primary impact of this vulnerability is on the availability of affected WordPress websites. By deleting arbitrary directories, attackers can disrupt website functionality, cause denial of service, or remove important content and configuration files. This can lead to website downtime, loss of user trust, and potential revenue loss for businesses relying on their online presence. Since the vulnerability does not affect confidentiality or integrity directly, data theft or unauthorized data modification is less likely. However, the ability to delete files arbitrarily can indirectly affect integrity if attackers remove or alter critical files. The ease of exploitation without authentication increases the risk of widespread attacks, especially on sites that have not applied mitigations. Organizations using this plugin in sectors such as e-commerce, media, and services may face operational disruptions and reputational damage if exploited.

1. Immediately restrict access to the hmenu_delete_menu() function by implementing server-level access controls or web application firewall (WAF) rules that block unauthorized requests targeting this function. 2. Apply strict file path validation to ensure only legitimate menu-related files can be deleted, preventing directory traversal or arbitrary path manipulation. 3. Monitor server logs and WordPress activity logs for unusual deletion requests or patterns indicative of exploitation attempts. 4. If a patch becomes available from the vendor, prioritize updating the plugin to the fixed version. 5. As a temporary measure, consider disabling or uninstalling the Hero Mega Menu plugin if it is not critical to website functionality. 6. Harden WordPress installations by limiting file system permissions to the minimum necessary, preventing the web server from deleting critical system files. 7. Educate site administrators about the risk and encourage regular backups to enable recovery in case of file deletion. 8. Employ intrusion detection systems (IDS) to detect anomalous file deletion activities.