WP-Safety

QuadMenu – Mega Menu Security & Risk Analysis

wordpress.org/plugins/quadmenu

Responsive mega menu plugin for WordPress with customizable layouts and an intuitive drag-and-drop builder.

10K active installs v3.3.2 PHP 5.6+ WP 4.7+ Updated Nov 28, 2025
mega-menumegamenumenumobile-menuresponsive-menu
94
A · Safe
CVEs total2
Unpatched0
Last CVEApr 11, 2025
Plugin page Download
Safety Verdict

Is QuadMenu – Mega Menu Safe to Use in 2026?

Generally Safe

Score 94/100

QuadMenu – Mega Menu has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Apr 11, 2025Updated 4mo ago
Risk Assessment

Quadmenu v3.3.2 presents a mixed security posture. While the static analysis indicates a relatively clean entry point surface with all AJAX handlers and REST API routes appearing to have authorization checks, and a significant percentage of SQL queries utilizing prepared statements, there are notable concerns. The code signals reveal that only 56% of output is properly escaped, which is a significant weakness that could lead to cross-site scripting (XSS) vulnerabilities if malicious data is ever introduced through unsanitized inputs. Furthermore, the taint analysis shows flows with unsanitized paths, although they are not currently classified as critical or high severity, they represent potential avenues for exploitation.

The vulnerability history is a significant red flag. The plugin has a history of two known CVEs, including one critical vulnerability and one medium, with the most recent one being dated April 2025. While there are no currently unpatched vulnerabilities, the past critical and medium severity issues, particularly Cross-Site Request Forgery (CSRF) and Unrestricted Upload of File with Dangerous Type, indicate a pattern of exploitable flaws. This history suggests that developers may not consistently address security best practices throughout the development lifecycle. In conclusion, while Quadmenu v3.3.2 has some strengths in its access control for entry points and SQL query sanitization, the high percentage of unescaped output, unsanitized taint flows, and a concerning historical pattern of critical and medium vulnerabilities necessitate caution.

Key Concerns

  • High percentage of unescaped output
  • Flows with unsanitized paths found
  • History of 1 critical CVE
  • History of 1 medium CVE
  • Unrestricted Upload of File with Dangerous Type history
Vulnerabilities
2

QuadMenu – Mega Menu Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
1

2 total CVEs

CVE-2025-2871medium · 4.3Cross-Site Request Forgery (CSRF)

WordPress Mega Menu – QuadMenu <= 3.2.0 - Cross-Site Request Forgery to Limited User Meta Update

Apr 11, 2025 Patched in 3.2.1 (1d)
CVE-2021-4443critical · 9.8Unrestricted Upload of File with Dangerous Type

WordPress Mega Menu <= 2.0.6 - Arbitrary File Creation

Feb 22, 2021 Patched in 2.0.7 (1332d)
Code Analysis
Analyzed Mar 16, 2026

QuadMenu – Mega Menu Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
6 prepared
Unescaped Output
445
568 escaped
Nonce Checks
7
Capability Checks
5
File Operations
10
External Requests
16
Bundled Libraries
1

Bundled Libraries

jQuery

SQL Query Safety

75% prepared8 total queries

Output Escaping

56% escaped1013 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

7 flows4 with unsanitized paths
save_network_page (redux\ReduxCore\framework.php:621)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

QuadMenu – Mega Menu Attack Surface

Entry Points5
Unprotected0

AJAX Handlers 5

noprivwp_ajax_redux_predux\ReduxCore\inc\class.p.php:7
authwp_ajax_redux_predux\ReduxCore\inc\class.p.php:8
authwp_ajax_redux_hide_admin_noticeredux\ReduxCore\inc\class.redux_admin_notices.php:32
authwp_ajax_redux_allow_trackingredux\ReduxCore\inc\tracking.php:517
authwp_ajax_redux_support_hashredux\ReduxCore\inc\welcome\welcome.php:25
WordPress Hooks 72
actionwp_default_scriptsjetpack_vendor\automattic\jetpack-assets\actions.php:11
actionplugins_loadedjetpack_vendor\automattic\jetpack-assets\actions.php:12
filterwp_resource_hintsjetpack_vendor\automattic\jetpack-assets\src\class-assets.php:182
actionwp_loadedjetpack_vendor\automattic\jetpack-assets\src\class-script-data.php:38
actionenqueue_block_editor_assetsjetpack_vendor\automattic\jetpack-assets\src\class-script-data.php:52
actionshutdownjetpack_vendor\automattic\jetpack-status\src\class-errors.php:38
actionwp_network_dashboard_setupjetpack_vendor\quadlayers\wp-dashboard-widget-news\src\Load.php:36
actionwp_dashboard_setupjetpack_vendor\quadlayers\wp-dashboard-widget-news\src\Load.php:37
actionadmin_noticesjetpack_vendor\quadlayers\wp-notice-plugin-promote\src\Load.php:95
actionadmin_noticesjetpack_vendor\quadlayers\wp-notice-plugin-promote\src\Load.php:104
actionadmin_noticesjetpack_vendor\quadlayers\wp-notice-plugin-required\src\Load.php:40
filterinstall_plugins_tabsjetpack_vendor\quadlayers\wp-plugin-install-tab\src\Load.php:33
actioninstall_plugins_quadlayersjetpack_vendor\quadlayers\wp-plugin-install-tab\src\Load.php:34
actionplugins_loadedjetpack_vendor\quadlayers\wp-plugin-suggestions\src\Page.php:47
actionadmin_menujetpack_vendor\quadlayers\wp-plugin-suggestions\src\Page.php:50
actionadmin_initjetpack_vendor\quadlayers\wp-plugin-suggestions\src\Page.php:55
filternetwork_admin_urljetpack_vendor\quadlayers\wp-plugin-suggestions\src\Page.php:56
filterself_admin_urljetpack_vendor\quadlayers\wp-plugin-suggestions\src\Table.php:52
filternetwork_admin_urljetpack_vendor\quadlayers\wp-plugin-suggestions\src\Table.php:53
filterplugin_row_metajetpack_vendor\quadlayers\wp-plugin-table-links\src\Load.php:36
actionadmin_footerredux\redux\icons\field_icons.php:8
actionwp_dashboard_setupredux\ReduxCore\core\dashboard.php:13
actionredux/initredux\ReduxCore\framework.php:30
actionadmin_menuredux\ReduxCore\framework.php:370
actionnetwork_admin_menuredux\ReduxCore\framework.php:374
actionadmin_bar_menuredux\ReduxCore\framework.php:378
actionadmin_initredux\ReduxCore\framework.php:388
actionadmin_noticesredux\ReduxCore\framework.php:398
actionadmin_initredux\ReduxCore\framework.php:401
actionadmin_enqueue_scriptsredux\ReduxCore\framework.php:405
actionwp_headredux\ReduxCore\framework.php:411
actionwp_enqueue_scriptsredux\ReduxCore\framework.php:412
actionlogin_headredux\ReduxCore\framework.php:417
actionlogin_enqueue_scriptsredux\ReduxCore\framework.php:418
actionadmin_headredux\ReduxCore\framework.php:423
actionadmin_enqueue_scriptsredux\ReduxCore\framework.php:424
actionwp_print_scriptsredux\ReduxCore\framework.php:427
actionadmin_enqueue_scriptsredux\ReduxCore\framework.php:428
actionadmin_bar_menuredux\ReduxCore\framework.php:440
actionadmin_headredux\ReduxCore\framework.php:1780
filteradmin_footer_textredux\ReduxCore\framework.php:1783
actionafter_setup_themeredux\ReduxCore\inc\class.redux_api.php:47
actioninitredux\ReduxCore\inc\class.redux_api.php:48
actionswitch_themeredux\ReduxCore\inc\class.redux_api.php:49
actionReduxFrameworkPlugin_admin_noticeredux\ReduxCore\inc\class.redux_api.php:575
actionredux_framework_plugin_admin_noticeredux\ReduxCore\inc\class.redux_api.php:576
actionredux/constructredux\ReduxCore\inc\class.redux_instances.php:66
actioncustomize_registerredux\ReduxCore\inc\extensions\customizer\extension_customizer.php:120
actionwp_headredux\ReduxCore\inc\extensions\customizer\extension_customizer.php:128
actioncustomize_save_afterredux\ReduxCore\inc\extensions\customizer\extension_customizer.php:131
actioncustomize_controls_print_scriptsredux\ReduxCore\inc\extensions\customizer\extension_customizer.php:134
actioncustomize_controls_initredux\ReduxCore\inc\extensions\customizer\extension_customizer.php:136
filterupload_mimesredux\ReduxCore\inc\extensions\import_export\extension_import_export.php:113
filterredux/font-iconsredux\ReduxCore\inc\fields\select\elusive-icons.php:312
actionadmin_enqueue_scriptsredux\ReduxCore\inc\themecheck\class.redux_themecheck.php:74
actionadmin_enqueue_scriptsredux\ReduxCore\inc\themecheck\class.redux_themecheck.php:75
actionthemecheck_checks_loadedredux\ReduxCore\inc\themecheck\class.redux_themecheck.php:77
actionthemecheck_checks_loadedredux\ReduxCore\inc\themecheck\class.redux_themecheck.php:78
actionadmin_enqueue_scriptsredux\ReduxCore\inc\tracking.php:76
actionadmin_enqueue_scriptsredux\ReduxCore\inc\tracking.php:78
actionreduxlegacy_trackingredux\ReduxCore\inc\tracking.php:95
actionadmin_print_footer_scriptsredux\ReduxCore\inc\tracking.php:105
actionadmin_print_footer_scriptsredux\ReduxCore\inc\tracking.php:114
filterredux/tracking/optionsredux\ReduxCore\inc\tracking.php:493
actioninitredux\ReduxCore\inc\validation\unique_slug\validation_unique_slug.php:59
actionredux/loadedredux\ReduxCore\inc\welcome\welcome.php:23
actionadmin_menuredux\ReduxCore\inc\welcome\welcome.php:34
filteradmin_footer_textredux\ReduxCore\inc\welcome\welcome.php:40
actionadmin_headredux\ReduxCore\inc\welcome\welcome.php:41
actioninitredux\ReduxCore\inc\welcome\welcome.php:90
actioninitvendor_packages\wp-notice-plugin-promote.php:4
actioninitvendor_packages\wp-plugin-table-links.php:4

Scheduled Events 1

reduxlegacy_tracking
Maintenance & Trust

QuadMenu – Mega Menu Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 28, 2025
PHP min version5.6
Downloads1.2M

Community Trust

Rating90/100
Number of ratings267
Active installs10K
Alternatives

QuadMenu – Mega Menu Alternatives

Easy Mega Menu Plugin for WordPress – ThemeHunk

Easy Mega Menu Plugin for WordPress – ThemeHunk

themehunk-megamenu-plus

B
75

Free, fast, and user-friendly mega menu plugin for WordPress & WooCommerce. Add pages, posts, widgets, products, text, and custom links effortlessly.

2K 1 unpatched
Max Mega Menu

Max Mega Menu

megamenu

A
99

An easy to use mega menu plugin. Written the WordPress way.

300K 2 CVEs
WP Mega Menu

WP Mega Menu

wp-megamenu

C
61

WordPress Mega Menu is a responsive, highly customizable drag and drop menu builder plugin. Download free WordPress megamenu plugin.

9K 1 unpatched
WP Mobile Menu – The Mobile-Friendly Responsive Menu

WP Mobile Menu – The Mobile-Friendly Responsive Menu

mobile-menu

A
96

Need some help with the mobile website experience? Need an Mobile Menu plugin that keep your mobile visitors engaged?

80K 4 CVEs
WP Menu Icons

WP Menu Icons

wp-menu-icons

A
100

WP Menu Icons allows you to add icons to your WordPress menu items.

20K No CVEs
Developer Profile

QuadMenu – Mega Menu Developer Profile

quadlayers

17 plugins · 654K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
501 days
View full developer profile
Detection Fingerprints

How We Detect QuadMenu – Mega Menu

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/quadmenu/assets/css/admin/customizer.css/wp-content/plugins/quadmenu/assets/css/admin/customize.css/wp-content/plugins/quadmenu/assets/css/admin/editor.css/wp-content/plugins/quadmenu/assets/css/admin/main.css/wp-content/plugins/quadmenu/assets/css/admin/modules.css/wp-content/plugins/quadmenu/assets/css/admin/responsive.css/wp-content/plugins/quadmenu/assets/css/admin/settings.css/wp-content/plugins/quadmenu/assets/css/main.css+78 more
Script Paths
/wp-content/plugins/quadmenu/assets/js/admin/customize.js/wp-content/plugins/quadmenu/assets/js/admin/editor.js/wp-content/plugins/quadmenu/assets/js/admin/main.js/wp-content/plugins/quadmenu/assets/js/admin/modules.js/wp-content/plugins/quadmenu/assets/js/admin/settings.js/wp-content/plugins/quadmenu/assets/js/admin/skins.js+27 more
Version Parameters
quadmenu/assets/css/quadmenu.css?ver=quadmenu/assets/js/quadmenu.js?ver=

HTML / DOM Fingerprints

CSS Classes
quadmenuquadmenu-navquadmenu-toggle
HTML Comments
QuadMenuQuadMenu Admin Settings
Data Attributes
data-quadmenu-iddata-quadmenu-parent
JS Globals
QuadMenuquadmenu_admin_editor_settingsquadmenu_admin_customize_settings
REST Endpoints
/wp-json/quadmenu/
Shortcode Output
[quadmenu]
FAQ

Frequently Asked Questions about QuadMenu – Mega Menu