CVE-2024-8433: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in themehunk Easy Mega Menu for WordPress – ThemeHunk
The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘themehunk_megamenu_bg_image' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Please note that this was partially fixed in 1.1.0 due to the missing authorization protection that was added.
AI Analysis
Technical Summary
CVE-2024-8433 is a stored cross-site scripting vulnerability in the Easy Mega Menu plugin for WordPress by ThemeHunk. The flaw exists due to insufficient input sanitization and output escaping of the 'themehunk_megamenu_bg_image' parameter, allowing authenticated users with subscriber-level privileges or higher to inject arbitrary web scripts. These scripts execute whenever a user accesses the injected page, potentially compromising user sessions or data. Although version 1.1.0 partially addressed the issue by adding authorization checks, the core sanitization problem persists in all versions up to and including 1.1.0. No official patch or fix link is currently provided.
Potential Impact
This vulnerability enables authenticated users with low-level privileges (subscriber and above) to perform stored cross-site scripting attacks, which can lead to the execution of arbitrary scripts in the context of other users viewing the affected pages. This may result in session hijacking, defacement, or other client-side impacts. The CVSS score of 6.4 reflects a medium severity with low attack complexity but requiring privileges and no user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or update link is provided, users should monitor ThemeHunk's communications for a fix. In the meantime, restrict plugin usage to trusted users only and consider disabling or removing the plugin if possible. The partial fix in version 1.1.0 added authorization protection but does not fully resolve the sanitization issue, so upgrading to 1.1.0 may reduce risk but does not eliminate it.
CVE-2024-8433: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in themehunk Easy Mega Menu for WordPress – ThemeHunk
Description
The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘themehunk_megamenu_bg_image' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Please note that this was partially fixed in 1.1.0 due to the missing authorization protection that was added.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-8433 is a stored cross-site scripting vulnerability in the Easy Mega Menu plugin for WordPress by ThemeHunk. The flaw exists due to insufficient input sanitization and output escaping of the 'themehunk_megamenu_bg_image' parameter, allowing authenticated users with subscriber-level privileges or higher to inject arbitrary web scripts. These scripts execute whenever a user accesses the injected page, potentially compromising user sessions or data. Although version 1.1.0 partially addressed the issue by adding authorization checks, the core sanitization problem persists in all versions up to and including 1.1.0. No official patch or fix link is currently provided.
Potential Impact
This vulnerability enables authenticated users with low-level privileges (subscriber and above) to perform stored cross-site scripting attacks, which can lead to the execution of arbitrary scripts in the context of other users viewing the affected pages. This may result in session hijacking, defacement, or other client-side impacts. The CVSS score of 6.4 reflects a medium severity with low attack complexity but requiring privileges and no user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or update link is provided, users should monitor ThemeHunk's communications for a fix. In the meantime, restrict plugin usage to trusted users only and consider disabling or removing the plugin if possible. The partial fix in version 1.1.0 added authorization protection but does not fully resolve the sanitization issue, so upgrading to 1.1.0 may reduce risk but does not eliminate it.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-09-04T15:59:14.662Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c28b7ef31ef0b5609a2
Added to database: 2/25/2026, 9:39:52 PM
Last enriched: 4/9/2026, 8:26:12 AM
Last updated: 4/11/2026, 11:26:58 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.