CVE-2024-37274 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WP Mobile Menu plugin for WordPress, developed by Rui Guerreiro. The affected versions include all releases up to and including 2.8.4.3. CSRF vulnerabilities occur when an attacker tricks an authenticated user into submitting a forged request to a web application, causing the application to perform unintended actions on behalf of the user. In this case, the WP Mobile Menu plugin lacks adequate CSRF protections on certain actions, allowing attackers to craft malicious web pages or links that, when visited by an authenticated WordPress user, can trigger unauthorized changes or commands within the plugin's functionality. This can lead to unauthorized configuration changes, menu manipulation, or other actions permitted by the plugin's interface. The vulnerability requires the victim to be authenticated on the target WordPress site but does not require any additional user interaction beyond visiting a malicious page. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability was reserved in June 2024 and published in January 2025. The absence of a patch link indicates that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps by site administrators. Given the widespread use of WordPress and the popularity of mobile menu plugins, this vulnerability could affect a significant number of websites globally.

The impact of CVE-2024-37274 can be significant for organizations relying on the WP Mobile Menu plugin. Successful exploitation allows attackers to perform unauthorized actions within the context of an authenticated user session, potentially altering site navigation menus or other plugin-managed settings. This can degrade user experience, cause site misconfigurations, or be leveraged as part of a broader attack chain to escalate privileges or inject malicious content. For e-commerce, media, or corporate websites, such unauthorized changes can damage brand reputation, disrupt business operations, and erode customer trust. Since WordPress powers a large portion of the web, the scope of affected systems is broad, especially for sites that have not implemented additional security controls. The ease of exploitation—requiring only that a logged-in user visits a malicious site—raises the risk of widespread automated attacks or targeted phishing campaigns. While the vulnerability does not directly expose sensitive data, the integrity and availability of site features managed by the plugin are at risk, which can indirectly impact confidentiality if attackers leverage the foothold for further compromise.

To mitigate CVE-2024-37274, organizations should take the following specific actions: 1) Monitor for and apply any official patches or updates released by the WP Mobile Menu plugin developer as soon as they become available. 2) In the absence of a patch, implement web application firewall (WAF) rules to detect and block suspicious CSRF attempts targeting the plugin’s endpoints. 3) Enforce strict user session management and consider reducing the number of users with administrative or privileged access to minimize the attack surface. 4) Educate users about the risks of clicking on untrusted links while logged into administrative accounts. 5) Where possible, implement additional CSRF tokens or nonce verification manually in plugin code or via security plugins that enhance WordPress security. 6) Regularly audit plugin usage and configurations to detect unauthorized changes promptly. 7) Consider temporarily disabling or replacing the WP Mobile Menu plugin with alternative solutions until a secure version is available. These measures collectively reduce the risk of exploitation and limit potential damage.