WP-Safety

Max Mega Menu Security & Risk Analysis

wordpress.org/plugins/megamenu

An easy to use mega menu plugin. Written the WordPress way.

300K active installs v3.7 PHP 5.6+ WP 5.0+ Updated Dec 15, 2025
mega-menumenumobile-menunavigationresponsive-menu
99
A · Safe
CVEs total2
Unpatched0
Last CVEMar 26, 2024
Plugin page Download
Safety Verdict

Is Max Mega Menu Safe to Use in 2026?

Generally Safe

Score 99/100

Max Mega Menu has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Mar 26, 2024Updated 3mo ago
Risk Assessment

The "megamenu" plugin version 3.8 exhibits a mixed security posture. While it demonstrates strengths in using prepared statements for SQL queries and a good number of capability checks, several concerning areas require attention. The presence of 19 AJAX handlers, with 3 lacking proper authentication checks, presents a significant attack surface. Additionally, the taint analysis, although not revealing critical or high severity issues, identified 10 flows with unsanitized paths, hinting at potential weaknesses that could be exploited if specific conditions are met. The plugin's vulnerability history, with two medium severity CVEs primarily related to missing authorization and cross-site scripting, further underscores the need for vigilance. The most recent vulnerability in March 2024, although patched, indicates an ongoing pattern of security issues in these areas. Overall, the plugin has made efforts towards secure coding but needs to address the identified gaps in authentication and input sanitization to improve its security.

Key Concerns

  • AJAX handlers without authorization checks
  • Unsanitized paths in taint analysis flows
  • Bundled outdated library: Select2 v3.5.4
  • Medium severity CVEs in vulnerability history
  • Potential for cross-site scripting (from history)
  • Missing authorization patterns (from history)
Vulnerabilities
2

Max Mega Menu Security Vulnerabilities

CVEs by Year

1 CVE in 2017
2017
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-28003medium · 4.3Missing Authorization

Max Mega Menu <= 3.3. - Missing Authorization

Mar 26, 2024 Patched in 3.3.1 (43d)
CVE-2017-18525medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Max Mega Menu <= 2.3.8 - Authenticated Cross-Site Scripting

Oct 11, 2017 Patched in 2.4 (2295d)
Code Analysis
Analyzed Mar 16, 2026

Max Mega Menu Code Analysis

Dangerous Functions
67
Raw SQL Queries
0
0 prepared
Unescaped Output
189
289 escaped
Nonce Checks
30
Capability Checks
20
File Operations
25
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$imports = unserialize(file_get_contents($icache));classes\scss\0.0.12\scss.inc.php:4352
unserialize$c = unserialize($c);classes\scss\1.11.1\src\Cache.php:136
assertassert($this->scope !== null);classes\scss\1.11.1\src\Compiler.php:538
assertassert($sourceMapGenerator !== null);classes\scss\1.11.1\src\Compiler.php:552
assertassert($this->scope !== null);classes\scss\1.11.1\src\Compiler.php:745
unserialize$value = unserialize($value);classes\scss\1.11.1\src\Compiler.php:809
assertassert($block->parent !== null);classes\scss\1.11.1\src\Compiler.php:827
assertassert($media instanceof MediaBlock);classes\scss\1.11.1\src\Compiler.php:1294
assertassert($this->scope !== null);classes\scss\1.11.1\src\Compiler.php:1300
assertassert($block instanceof AtRootBlock);classes\scss\1.11.1\src\Compiler.php:1439
assertassert($selfParent !== null, 'at-root blocks must have a selfParent set.');classes\scss\1.11.1\src\Compiler.php:1462
assertassert($this->scope !== null);classes\scss\1.11.1\src\Compiler.php:1474
assertassert($this->scope !== null);classes\scss\1.11.1\src\Compiler.php:1481
assertassert($this->rootBlock !== null);classes\scss\1.11.1\src\Compiler.php:1506
assertassert($block instanceof DirectiveBlock || $block instanceof OutputBlock);classes\scss\1.11.1\src\Compiler.php:1715
assertassert($this->scope->parent !== null);classes\scss\1.11.1\src\Compiler.php:1786
assertassert($this->scope !== null);classes\scss\1.11.1\src\Compiler.php:1791
assertassert($block instanceof NestedPropertyBlock);classes\scss\1.11.1\src\Compiler.php:1808
assertassert($child[1] instanceof NestedPropertyBlock);classes\scss\1.11.1\src\Compiler.php:1827
assertassert($this->scope->parent !== null);classes\scss\1.11.1\src\Compiler.php:1849
assertassert($this->scope !== null);classes\scss\1.11.1\src\Compiler.php:1883
assertassert($block->selectors !== null);classes\scss\1.11.1\src\Compiler.php:1912
assertassert($this->scope !== null);classes\scss\1.11.1\src\Compiler.php:1917
assertassert($block->selfParent !== null);classes\scss\1.11.1\src\Compiler.php:1935
assertassert($this->scope !== null);classes\scss\1.11.1\src\Compiler.php:1991
assertassert($block instanceof CallableBlock);classes\scss\1.11.1\src\Compiler.php:3108
assertassert($selectors !== null);classes\scss\1.11.1\src\Compiler.php:3136
assertassert($if instanceof IfBlock);classes\scss\1.11.1\src\Compiler.php:3160
assertassert($each instanceof EachBlock);classes\scss\1.11.1\src\Compiler.php:3178
assertassert($while instanceof WhileBlock);classes\scss\1.11.1\src\Compiler.php:3213
assertassert($for instanceof ForBlock);classes\scss\1.11.1\src\Compiler.php:3226
assertassert($mixin instanceof CallableBlock);classes\scss\1.11.1\src\Compiler.php:3287
assertassert($kebabCaseName !== null);classes\scss\1.11.1\src\Compiler.php:3927
assertassert($env->block instanceof MediaBlock);classes\scss\1.11.1\src\Compiler.php:5030
assertassert(!empty($parsedPrototypes));classes\scss\1.11.1\src\Compiler.php:6430
assertassert(\is_string($arg[0][1]));classes\scss\1.11.1\src\Compiler.php:6728
assertassert(\is_string($name));classes\scss\1.11.1\src\Compiler.php:6753
assertassert($originalRestArgumentName !== null);classes\scss\1.11.1\src\Compiler.php:6884
assertassert($default !== null);classes\scss\1.11.1\src\Compiler.php:6905
assertassert(\is_array($value));classes\scss\1.11.1\src\Compiler.php:7321
assertassert(\is_array($value));classes\scss\1.11.1\src\Compiler.php:7426
assertassert(!empty($selectorsMap));classes\scss\1.11.1\src\Compiler.php:10095
assertassert(! empty($block->selectors));classes\scss\1.11.1\src\Formatter\Compressed.php:70
assertassert(! empty($block->selectors));classes\scss\1.11.1\src\Formatter\Crunched.php:74
assertassert($replacedLine !== null);classes\scss\1.11.1\src\Formatter\Expanded.php:61
assertassert($replacedLine !== null);classes\scss\1.11.1\src\Formatter\Nested.php:72
assertassert(! empty($block->selectors));classes\scss\1.11.1\src\Formatter.php:168
assertassert($out !== false);classes\scss\1.11.1\src\Formatter.php:300
assertassert($this->currentBlock->sourceLine !== null);classes\scss\1.11.1\src\Formatter.php:343
assertassert($this->currentBlock->sourceName !== null);classes\scss\1.11.1\src\Formatter.php:344
assertassert($this->currentBlock->sourceLine !== null);classes\scss\1.11.1\src\Formatter.php:360
assertassert($this->currentBlock->sourceName !== null);classes\scss\1.11.1\src\Formatter.php:361
assertassert($this->env !== null);classes\scss\1.11.1\src\Parser.php:299
assertassert($if instanceof IfBlock);classes\scss\1.11.1\src\Parser.php:796
assertassert($this->env !== null);classes\scss\1.11.1\src\Parser.php:1061
assertassert(\is_array($include));classes\scss\1.11.1\src\Parser.php:1070
assertassert($this->env !== null);classes\scss\1.11.1\src\Parser.php:1082
assertassert($this->env !== null);classes\scss\1.11.1\src\Parser.php:1151
assertassert($this->env !== null);classes\scss\1.11.1\src\Parser.php:1186
assertassert($this->env !== null);classes\scss\1.11.1\src\Parser.php:1686
assertassert($this->env !== null);classes\scss\1.11.1\src\Parser.php:1703
assertassert($this->env !== null);classes\scss\1.11.1\src\Parser.php:1734
assertassert(\is_array($value) || $value instanceof Number);classes\scss\1.11.1\src\Parser.php:2245
assertassert(\is_array($value));classes\scss\1.11.1\src\Parser.php:2249
assertassert(\is_array($nextValue) || $nextValue instanceof Number);classes\scss\1.11.1\src\Parser.php:2278
assertassert($file !== null);classes\scss\1.11.1\src\SourceMap\SourceMapGenerator.php:151
assertassert($jsonSourceMap !== false);classes\scss\1.11.1\src\SourceMap\SourceMapGenerator.php:233

Bundled Libraries

Select23.5.4

Output Escaping

60% escaped478 total outputs
Data Flows
10 unsanitized

Data Flow Analysis

13 flows10 with unsanitized paths
save_settings (classes\pages\general.php:60)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Max Mega Menu Attack Surface

Entry Points21
Unprotected3

AJAX Handlers 19

authwp_ajax_mm_get_lightbox_htmlclasses\menu-item-manager.class.php:29
authwp_ajax_mm_get_empty_grid_columnclasses\menu-item-manager.class.php:30
authwp_ajax_mm_get_empty_grid_rowclasses\menu-item-manager.class.php:31
authwp_ajax_mm_save_menu_item_settingsclasses\menu-item-manager.class.php:32
authwp_ajax_mm_save_settingsclasses\nav-menus.class.php:53
authwp_ajax_megamenu_save_themeclasses\pages\themes.php:40
authwp_ajax_mm_get_toggle_block_menu_toggleclasses\toggle-blocks.class.php:28
authwp_ajax_mm_get_toggle_block_menu_toggle_animatedclasses\toggle-blocks.class.php:32
authwp_ajax_mm_get_toggle_block_spacerclasses\toggle-blocks.class.php:36
authwp_ajax_mm_edit_widgetclasses\widget-manager.class.php:25
authwp_ajax_mm_edit_menu_itemclasses\widget-manager.class.php:26
authwp_ajax_mm_save_widgetclasses\widget-manager.class.php:27
authwp_ajax_mm_save_menu_itemclasses\widget-manager.class.php:28
authwp_ajax_mm_update_widget_columnsclasses\widget-manager.class.php:29
authwp_ajax_mm_update_menu_item_columnsclasses\widget-manager.class.php:30
authwp_ajax_mm_delete_widgetclasses\widget-manager.class.php:31
authwp_ajax_mm_add_widgetclasses\widget-manager.class.php:32
authwp_ajax_mm_reorder_itemsclasses\widget-manager.class.php:33
authwp_ajax_mm_save_grid_dataclasses\widget-manager.class.php:34

Shortcodes 2

[maxmenu] megamenu.php:100
[maxmegamenu] megamenu.php:101
WordPress Hooks 104
actionadmin_initclasses\admin-notices.class.php:37
actionadmin_noticesclasses\admin-notices.class.php:38
filtermegamenu_tabsclasses\menu-item-manager.class.php:34
filtermegamenu_tabsclasses\menu-item-manager.class.php:35
filtermegamenu_tabsclasses\menu-item-manager.class.php:36
actionadmin_initclasses\nav-menus.class.php:51
actionmegamenu_nav_menus_scriptsclasses\nav-menus.class.php:52
filterhidden_meta_boxesclasses\nav-menus.class.php:54
filtersiteorigin_panels_is_admin_pageclasses\nav-menus.class.php:56
actionadmin_print_scripts-nav-menus.phpclasses\nav-menus.class.php:59
actionadmin_print_styles-nav-menus.phpclasses\nav-menus.class.php:63
actionadmin_post_megamenu_save_settingsclasses\pages\general.php:20
filtermegamenu_menu_tabsclasses\pages\general.php:22
actionmegamenu_page_general_settingsclasses\pages\general.php:23
actionadmin_post_megamenu_add_menu_locationclasses\pages\locations.php:20
actionadmin_post_megamenu_delete_menu_locationclasses\pages\locations.php:21
actionadmin_post_megamenu_save_menu_locationclasses\pages\locations.php:22
actionadmin_post_megamenu_sandboxclasses\pages\locations.php:24
actionwp_print_scriptsclasses\pages\locations.php:25
actionwp_print_stylesclasses\pages\locations.php:26
filtermegamenu_menu_tabsclasses\pages\locations.php:28
actionmegamenu_page_menu_locationsclasses\pages\locations.php:29
actionadmin_menuclasses\pages\page.php:20
actionmegamenu_admin_scriptsclasses\pages\page.php:21
actionadmin_post_megamenu_save_themeclasses\pages\themes.php:41
actionadmin_post_megamenu_add_themeclasses\pages\themes.php:42
actionadmin_post_megamenu_delete_themeclasses\pages\themes.php:43
actionadmin_post_megamenu_revert_themeclasses\pages\themes.php:44
actionadmin_post_megamenu_duplicate_themeclasses\pages\themes.php:45
actionadmin_post_megamenu_import_themeclasses\pages\themes.php:46
filtermegamenu_menu_tabsclasses\pages\themes.php:48
actionmegamenu_page_theme_editorclasses\pages\themes.php:49
filterwp_code_editor_settingsclasses\pages\themes.php:51
actionadmin_post_megamenu_clear_css_cacheclasses\pages\tools.php:21
actionadmin_post_megamenu_delete_dataclasses\pages\tools.php:22
filtermegamenu_menu_tabsclasses\pages\tools.php:24
actionmegamenu_page_toolsclasses\pages\tools.php:25
actionmegamenu_enqueue_scriptsclasses\style-manager.class.php:38
actionmegamenu_enqueue_stylesclasses\style-manager.class.php:39
actionwp_enqueue_scriptsclasses\style-manager.class.php:41
actionwp_enqueue_scriptsclasses\style-manager.class.php:42
actionwp_headclasses\style-manager.class.php:43
actionmegamenu_delete_cacheclasses\style-manager.class.php:44
actionmegamenu_delete_cacheclasses\style-manager.class.php:45
actionafter_switch_themeclasses\style-manager.class.php:46
actionmegamenu_head_cssclasses\style-manager.class.php:48
filtermegamenu_css_transient_keyclasses\style-manager.class.php:52
filtermegamenu_css_filenameclasses\style-manager.class.php:53
actionmegamenu_after_delete_cacheclasses\style-manager.class.php:54
filtermegamenu_css_transient_keyclasses\style-manager.class.php:56
filtermegamenu_css_filenameclasses\style-manager.class.php:57
actionmegamenu_after_delete_cacheclasses\style-manager.class.php:58
filtermegamenu_scripts_in_footerclasses\style-manager.class.php:61
filterfilesystem_methodclasses\style-manager.class.php:62
filtermegamenu_scss_variablesclasses\toggle-blocks.class.php:21
filtermegamenu_scss_variablesclasses\toggle-blocks.class.php:22
filtermegamenu_scss_variablesclasses\toggle-blocks.class.php:23
filtermegamenu_load_scss_file_contentsclasses\toggle-blocks.class.php:25
filtermegamenu_toggle_bar_contentclasses\toggle-blocks.class.php:26
actionmegamenu_output_admin_toggle_block_menu_toggleclasses\toggle-blocks.class.php:29
actionmegamenu_output_public_toggle_block_menu_toggleclasses\toggle-blocks.class.php:30
actionmegamenu_output_admin_toggle_block_menu_toggle_animatedclasses\toggle-blocks.class.php:33
actionmegamenu_output_public_toggle_block_menu_toggle_animatedclasses\toggle-blocks.class.php:34
actionmegamenu_output_admin_toggle_block_spacerclasses\toggle-blocks.class.php:37
actionmegamenu_after_theme_revertclasses\toggle-blocks.class.php:39
actionmegamenu_after_theme_saveclasses\toggle-blocks.class.php:40
actionmegamenu_admin_scriptsclasses\toggle-blocks.class.php:42
actionmegamenu_print_theme_option_toggle_blocksclasses\toggle-blocks.class.php:43
filtermegamenu_theme_editor_settingsclasses\toggle-blocks.class.php:45
filterwidget_update_callbackclasses\widget-manager.class.php:36
actionmegamenu_after_widget_addclasses\widget-manager.class.php:38
actionmegamenu_after_widget_saveclasses\widget-manager.class.php:39
actionmegamenu_after_widget_deleteclasses\widget-manager.class.php:40
actioninitintegration\block\location\block.php:29
actionenqueue_block_editor_assetsintegration\block\location\block.php:39
filtermegamenu_load_scss_file_contentsintegration\twentyseventeen\functions.php:15
actionwp_enqueue_scriptsintegration\twentyseventeen\functions.php:24
filtermegamenu_nav_menu_css_classintegration\twentyseventeen\functions.php:34
filtermegamenu_wrap_attributesintegration\zerif\functions.php:14
actioninitmegamenu.php:68
actioninitmegamenu.php:69
actionadmin_initmegamenu.php:70
actionadmin_noticesmegamenu.php:71
actionwidgets_initmegamenu.php:72
filterin_widget_formmegamenu.php:73
actionafter_setup_thememegamenu.php:75
filterwp_nav_menu_argsmegamenu.php:77
filterwp_nav_menu_objectsmegamenu.php:79
filtermegamenu_nav_menu_objects_beforemegamenu.php:80
filtermegamenu_nav_menu_objects_beforemegamenu.php:81
filtermegamenu_nav_menu_objects_aftermegamenu.php:82
filtermegamenu_nav_menu_objects_aftermegamenu.php:83
filtermegamenu_nav_menu_objects_aftermegamenu.php:84
filterbody_classmegamenu.php:85
filtermegamenu_nav_menu_css_classmegamenu.php:87
filtermegamenu_nav_menu_css_classmegamenu.php:88
filterconditional_menus_theme_locationmegamenu.php:91
filterblack_studio_tinymce_enable_pagesmegamenu.php:92
actionadmin_enqueue_scriptsmegamenu.php:94
actionadmin_print_footer_scripts-nav-menus.phpmegamenu.php:96
actionadmin_print_scripts-nav-menus.phpmegamenu.php:97
actionadmin_print_styles-nav-menus.phpmegamenu.php:98
actionelementor/widgets/registermegamenu.php:103
actionplugins_loadedmegamenu.php:1448
Maintenance & Trust

Max Mega Menu Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 15, 2025
PHP min version5.6
Downloads11.4M

Community Trust

Rating96/100
Number of ratings858
Active installs300K
Alternatives

Max Mega Menu Alternatives

QuadMenu – Mega Menu

QuadMenu – Mega Menu

quadmenu

A
94

Responsive mega menu plugin for WordPress with customizable layouts and an intuitive drag-and-drop builder.

10K 2 CVEs
WP Mega Menu

WP Mega Menu

wp-megamenu

C
61

WordPress Mega Menu is a responsive, highly customizable drag and drop menu builder plugin. Download free WordPress megamenu plugin.

9K 1 unpatched
Ollie Menu Designer

Ollie Menu Designer

ollie-menu-designer

A
100

Create custom dropdown & mobile menus using WordPress blocks. Design rich, responsive navigation with any block content in the block editor.

2K No CVEs
Easy Mega Menu Plugin for WordPress – ThemeHunk

Easy Mega Menu Plugin for WordPress – ThemeHunk

themehunk-megamenu-plus

B
75

Free, fast, and user-friendly mega menu plugin for WordPress & WooCommerce. Add pages, posts, widgets, products, text, and custom links effortlessly.

2K 1 unpatched
Mobile Menu Builder for WordPress

Mobile Menu Builder for WordPress

mobile-menu-builder

A
85

WordPress Mobile Menu Builder plugin is specially designed for mobiles. It is easy to use, customizable, and is highly flexible.

600 No CVEs
Developer Profile

Max Mega Menu Developer Profile

megamenu

2 plugins · 302K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
1169 days
View full developer profile
Detection Fingerprints

How We Detect Max Mega Menu

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/megamenu/framework/styles/css/responsive.css/wp-content/plugins/megamenu/framework/styles/css/style.css/wp-content/plugins/megamenu/framework/styles/css/frontend.css/wp-content/plugins/megamenu/framework/styles/css/themes.css/wp-content/plugins/megamenu/framework/styles/css/editor.css/wp-content/plugins/megamenu/framework/styles/css/editor-responsive.css/wp-content/plugins/megamenu/framework/js/dist/mega-menu-frontend.js/wp-content/plugins/megamenu/framework/js/dist/mega-menu-editor.js+1 more
Script Paths
/wp-content/plugins/megamenu/framework/js/dist/mega-menu-frontend.js/wp-content/plugins/megamenu/framework/js/dist/mega-menu-editor.js/wp-content/plugins/megamenu/framework/js/dist/mega-menu-admin.js
Version Parameters
megamenu/framework/styles/css/responsive.css?ver=megamenu/framework/styles/css/style.css?ver=megamenu/framework/styles/css/frontend.css?ver=megamenu/framework/styles/css/themes.css?ver=megamenu/framework/styles/css/editor.css?ver=megamenu/framework/styles/css/editor-responsive.css?ver=megamenu/framework/js/dist/mega-menu-frontend.js?ver=megamenu/framework/js/dist/mega-menu-editor.js?ver=megamenu/framework/js/dist/mega-menu-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
mega-menu-containermega-menu-mobile-togglemega-menu-primarymega-menu-togglemega-menu-titlemega-menu-itemmega-menu-linkmega-menu-flyout+7 more
HTML Comments
<!-- Max Mega Menu --><!-- Navigation Menu --><!-- Max Mega Menu - Primary Navigation --><!-- Max Mega Menu - Sub Menu -->+2 more
Data Attributes
data-mega-menu-transitiondata-mega-menu-eventdata-mega-menu-aligndata-mega-menu-direction
JS Globals
megaMenu
Shortcode Output
[maxmenu[maxmegamenu
FAQ

Frequently Asked Questions about Max Mega Menu