Cyber Resilience

CVE-2024-49303

High

Published: 21 January 2025

Published
21 January 2025
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0022 45.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-49303 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-49303 is an SQL Injection vulnerability (CWE-89) caused by improper neutralization of special elements used in an SQL command. It affects the Hero Mega Menu - Responsive WordPress Menu Plugin in all versions from n/a through 1.16.5.

The vulnerability can be exploited by low-privileged authenticated users (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Exploitation changes scope (S:C), resulting in high confidentiality impact (C:H) such as potential database data extraction, no integrity impact (I:N), and low availability impact (A:L). The CVSS v3.1 base score is 8.5.

Mitigation details are available in advisories such as the Patchstack database entry at https://patchstack.com/database/wordpress/plugin/hmenu/vulnerability/wordpress-hero-menu-plugin-1-16-5-sql-injection-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Hero Mega Menu - Responsive WordPress Menu Plugin allows SQL Injection. This issue affects Hero Mega Menu - Responsive WordPress Menu Plugin: from n/a through…

more

1.16.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing WordPress plugin directly enables remote exploitation (T1190) and database data extraction (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89
CVE-2024-13369Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of user inputs to neutralize special elements, directly preventing SQL injection exploitation in the Hero Mega Menu plugin.

prevent

SI-2 requires timely identification and remediation of flaws like the SQL injection vulnerability via patching the affected plugin versions.

detect

RA-5 vulnerability scanning detects SQL injection flaws such as CVE-2024-49303 in the WordPress plugin before exploitation occurs.

References