CVE-2026-8688

EUVD-2026-38685
The Advance Nav Menu Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to duplicate, copy, move, or publish nav_menu_item posts via wp_insert_post(), modifying the site's navigation menus without authorization.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Common Weakness Enumeration
References
https://plugins.trac.wordpress.org/browser/advance-nav-menu-manager/tags/1.1/include/class-advancenavmenumanager.php#L231
https://plugins.trac.wordpress.org/browser/advance-nav-menu-manager/tags/1.1/include/class-advancenavmenumanager.php#L236
https://plugins.trac.wordpress.org/browser/advance-nav-menu-manager/tags/1.1/include/option.php#L107
https://plugins.trac.wordpress.org/browser/advance-nav-menu-manager/tags/1.3/include/class-advancenavmenumanager.php#L231
https://plugins.trac.wordpress.org/browser/advance-nav-menu-manager/tags/1.3/include/class-advancenavmenumanager.php#L236
https://plugins.trac.wordpress.org/browser/advance-nav-menu-manager/tags/1.3/include/option.php#L107
https://www.wordfence.com/threat-intel/vulnerabilities/id/e234a79d-5d46-44db-833c-51e202dc49bf?source=cve