The UberMenu plugin for WordPress is affected by a CSRF vulnerability (CWE-352) in all versions up to and including 3.8.3. The vulnerability is due to missing or incorrect nonce validation on the ubermenu_delete_all_item_settings and ubermenu_reset_settings functions. An attacker can exploit this by tricking an authenticated site administrator into submitting a forged request, resulting in unauthorized deletion or resetting of the plugin's settings. The CVSS 3.1 base score is 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L), reflecting network attack vector, low attack complexity, no privileges required, no user interaction needed, scope changed, no confidentiality impact, but integrity and availability impacts are low and high respectively.

Successful exploitation allows an unauthenticated attacker to cause an administrator to delete or reset UberMenu plugin settings without their consent. This can disrupt website functionality or configuration, impacting availability and integrity of the plugin settings. There is no direct confidentiality impact reported. No known exploits in the wild have been documented at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should be cautious about clicking on unsolicited links while logged into WordPress with administrative privileges. Monitoring official SevenSpark or WordPress plugin update channels for a security patch is recommended.