WP-Safety

WP Mega Menu Security & Risk Analysis

wordpress.org/plugins/wp-megamenu

WordPress Mega Menu is a responsive, highly customizable drag and drop menu builder plugin. Download free WordPress megamenu plugin.

9K active installs v1.4.2 PHP + WP 4.0+ Updated Nov 3, 2021
mega-menumegamenunavigationresponsive-menuwp-megamenu
61
C · Use Caution
CVEs total2
Unpatched1
Last CVEDec 11, 2024
Plugin page Download
Safety Verdict

Is WP Mega Menu Safe to Use in 2026?

Use With Caution

Score 61/100

WP Mega Menu has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

2 known CVEs 1 unpatched Last CVE: Dec 11, 2024Updated 4yr ago
Risk Assessment

The wp-megamenu plugin exhibits a mixed security posture. While it demonstrates good practices in output escaping (90%) and includes a healthy number of nonce and capability checks, significant concerns arise from its attack surface and historical vulnerability patterns. The presence of 11 AJAX handlers without authentication checks is a considerable risk, directly exposing these entry points to unauthorized access and potential exploitation. This is exacerbated by the critical taint analysis findings of 5 high severity flows with unsanitized paths, suggesting potential for data manipulation or privilege escalation.

The plugin's vulnerability history, with 2 known CVEs and a currently unpatched high-severity vulnerability, indicates a recurring pattern of security weaknesses, specifically in deserialization and cross-site scripting. The recent unpatched vulnerability is a major red flag, highlighting a lack of timely security patching. The use of dangerous functions like 'unserialize' without adequate sanitization on user-supplied data, coupled with 100% of SQL queries lacking prepared statements, further amplifies the risk of SQL injection and deserialization vulnerabilities.

Overall, the plugin has some strengths in output sanitization and internal checks, but these are overshadowed by critical weaknesses in attack surface management, a concerning vulnerability history with unpatched issues, and fundamentally insecure coding practices in handling SQL queries and potentially deserialized data. The combination of these factors points to a plugin that requires immediate attention to address the existing unpatched vulnerability and to refactor insecure code patterns.

Key Concerns

  • Unpatched high severity CVE
  • High severity unsanitized taint flows
  • AJAX handlers without auth checks
  • SQL queries without prepared statements
  • Dangerous function 'unserialize' found
  • Flows with unsanitized paths
  • Bundled library Select2
Vulnerabilities
2

WP Mega Menu Security Vulnerabilities

CVEs by Year

1 CVE in 2020
2020
1 CVE in 2024 · unpatched
2024
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2024-54282high · 7.2Deserialization of Untrusted Data

WP Mega Menu <= 1.4.2 - Authenticated (Administrator+) PHP Object Injection

Dec 11, 2024Unpatched
WF-184ee992-1479-4528-9ff7-036affaecdbb-wp-megamenumedium · 6.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Mega Menu <= 1.3.6 - Unauthenticated Settings Update to Stored Cross-Site Scripting

Apr 20, 2020 Patched in 1.3.7 (1373d)
Code Analysis
Analyzed Mar 16, 2026

WP Mega Menu Code Analysis

Dangerous Functions
7
Raw SQL Queries
8
0 prepared
Unescaped Output
30
266 escaped
Nonce Checks
21
Capability Checks
16
File Operations
9
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$post_data = unserialize(base64_decode($serilized_data));classes\class.wp-megamenu-export-import.php:173
unserialize$post_data = unserialize($serilized_data);classes\class.wp-megamenu-themes.php:122
unserialize$options = unserialize($post->post_content);classes\wp_megamenu_functions.php:92
unserialize$options = unserialize($post->post_content);classes\wp_megamenu_functions.php:121
unserializeif (($result = @unserialize($value)) === false) {classes\wp_megamenu_functions.php:1331
unserialize$settings_option = unserialize($this->settings_option());installation\class.wp-megamenu-initial-setup.php:32
unserialize$post_data = unserialize($serilized_data);installation\class.wp-megamenu-initial-setup.php:53

Bundled Libraries

Select2

SQL Query Safety

0% prepared8 total queries

Output Escaping

90% escaped296 total outputs
Data Flows
10 unsanitized

Data Flow Analysis

16 flows10 with unsanitized paths
wpmm_edit_widget (classes\class.wp-megamenu-widgets.php:590)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
11 unprotected

WP Mega Menu Attack Surface

Entry Points28
Unprotected11

AJAX Handlers 27

noprivwp_ajax_gridpost_load_more_postsaddons\wpmm-gridpost\wpmm-gridpost.php:415
authwp_ajax_gridpost_load_more_postsaddons\wpmm-gridpost\wpmm-gridpost.php:416
authwp_ajax_wpmm_item_settings_loadclasses\class.wp-megamenu-base.php:31
authwp_ajax_wpmm_menu_item_option_saveclasses\class.wp-megamenu-base.php:35
authwp_ajax_wpmm_icon_updateclasses\class.wp-megamenu-base.php:36
authwp_ajax_save_item_panel_columnclasses\class.wp-megamenu-base.php:38
authwp_ajax_wpmm_change_menu_typeclasses\class.wp-megamenu-base.php:39
authwp_ajax_wpmm_change_strees_rowclasses\class.wp-megamenu-base.php:40
authwp_ajax_wpmm_set_menu_widthclasses\class.wp-megamenu-base.php:41
authwp_ajax_wpmm_set_strees_row_widthclasses\class.wp-megamenu-base.php:42
authwp_ajax_wpmm_save_layoutclasses\class.wp-megamenu-base.php:45
authwp_ajax_export_wp_megamenu_nav_menuclasses\class.wp-megamenu-export-import.php:15
authwp_ajax_export_wpmm_themeclasses\class.wp-megamenu-themes.php:22
authwp_ajax_wpmm_theme_deleteclasses\class.wp-megamenu-themes.php:27
authwp_ajax_wpmm_nav_menu_saveclasses\class.wp-megamenu-themes.php:28
authwp_ajax_wpmm_add_widget_to_itemclasses\class.wp-megamenu-widgets.php:24
authwp_ajax_wpmm_get_widget_to_itemclasses\class.wp-megamenu-widgets.php:25
authwp_ajax_wpmm_save_widgetclasses\class.wp-megamenu-widgets.php:26
authwp_ajax_wpmm_delete_widgetclasses\class.wp-megamenu-widgets.php:27
authwp_ajax_wpmm_increase_widget_columnclasses\class.wp-megamenu-widgets.php:29
authwp_ajax_wpmm_reorder_itemsclasses\class.wp-megamenu-widgets.php:30
authwp_ajax_wpmm_reorder_rowclasses\class.wp-megamenu-widgets.php:31
authwp_ajax_wpmm_delete_rowclasses\class.wp-megamenu-widgets.php:32
authwp_ajax_wpmm_reorder_colclasses\class.wp-megamenu-widgets.php:33
authwp_ajax_wpmm_drag_to_add_widget_itemclasses\class.wp-megamenu-widgets.php:36
authwp_ajax_wpmm_edit_widgetclasses\class.wp-megamenu-widgets.php:39
authwp_ajax_wpmm_rating_noticeclasses\wp_megamenu_functions.php:1547

Shortcodes 1

[wp_megamenu] classes\wp_megamenu_functions.php:1497
WordPress Hooks 38
actionwidgets_initaddons\wpmm-featuresbox\wpmm-featuresbox.php:3
actionwp_enqueue_scriptsaddons\wpmm-featuresbox\wpmm-featuresbox.php:405
actionwidgets_initaddons\wpmm-gridpost\wpmm-grid-woocommerce.php:2
actionwidgets_initaddons\wpmm-gridpost\wpmm-gridpost.php:2
actionwp_enqueue_scriptsaddons\wpmm-gridpost\wpmm-gridpost.php:380
actionwp_headaddons\wpmm-gridpost\wpmm-gridpost.php:409
actionadmin_enqueue_scriptsclasses\class.wp-megamenu-base.php:22
actionwp_enqueue_scriptsclasses\class.wp-megamenu-base.php:23
actionadmin_print_footer_scripts-nav-menus.phpclasses\class.wp-megamenu-base.php:25
actionadmin_print_scripts-nav-menus.phpclasses\class.wp-megamenu-base.php:26
actionadmin_print_styles-nav-menus.phpclasses\class.wp-megamenu-base.php:27
actionadmin_menuclasses\class.wp-megamenu-base.php:29
actionadmin_initclasses\class.wp-megamenu-base.php:30
filterwp_nav_menu_objectsclasses\class.wp-megamenu-base.php:32
filterbody_classclasses\class.wp-megamenu-base.php:33
actionwp_headclasses\class.wp-megamenu-base.php:46
actionadmin_noticesclasses\class.wp-megamenu-base.php:47
actionwp_headclasses\class.wp-megamenu-css.php:30
actionwpmm_after_save_themeclasses\class.wp-megamenu-css.php:31
actionwpmm_regenerate_cssclasses\class.wp-megamenu-css.php:32
actionwp_enqueue_scriptsclasses\class.wp-megamenu-css.php:37
actionadmin_initclasses\class.wp-megamenu-export-import.php:16
actionadmin_noticesclasses\class.wp-megamenu-export-import.php:290
actionadmin_initclasses\class.wp-megamenu-settings.php:17
actionadmin_initclasses\class.wp-megamenu-themes.php:21
actionadmin_initclasses\class.wp-megamenu-themes.php:23
actionload-nav-menus.phpclasses\class.wp-megamenu-themes.php:26
actionupdate_option_wpmm_optionsclasses\class.wp-megamenu-themes.php:30
actionadmin_noticesclasses\class.wp-megamenu-themes.php:73
actionadmin_noticesclasses\class.wp-megamenu-themes.php:127
actioninitclasses\class.wp-megamenu-widgets.php:22
filterwp_nav_menu_argsclasses\class.wp-megamenu.php:512
actionadmin_footerclasses\class.wp-megamenu.php:730
filterplugin_row_metaclasses\wp_megamenu_functions.php:1501
actionadmin_menuclasses\wp_megamenu_functions.php:1527
actionadmin_initclasses\wp_megamenu_functions.php:1536
actionwp_headincludes\compability.php:5
actioninitwp-megamenu.php:41
Maintenance & Trust

WP Mega Menu Maintenance & Trust

Maintenance Signals

WordPress version tested5.8.13
Last updatedNov 3, 2021
PHP min version
Downloads576K

Community Trust

Rating88/100
Number of ratings219
Active installs9K
Alternatives

WP Mega Menu Alternatives

Max Mega Menu

Max Mega Menu

megamenu

A
99

An easy to use mega menu plugin. Written the WordPress way.

300K 2 CVEs
QuadMenu – Mega Menu

QuadMenu – Mega Menu

quadmenu

A
94

Responsive mega menu plugin for WordPress with customizable layouts and an intuitive drag-and-drop builder.

10K 2 CVEs
Easy Mega Menu Plugin for WordPress – ThemeHunk

Easy Mega Menu Plugin for WordPress – ThemeHunk

themehunk-megamenu-plus

B
75

Free, fast, and user-friendly mega menu plugin for WordPress & WooCommerce. Add pages, posts, widgets, products, text, and custom links effortlessly.

2K 1 unpatched
Navigation Block with Mega Menu

Navigation Block with Mega Menu

getwid-megamenu

A
99

Build better navigation menus with the WordPress mega menu blocks.

1K 1 CVE
WP Mega Menu Recent Posts

WP Mega Menu Recent Posts

wp-mega-menu-recent-posts

A
85

WP Mega Menu Recent Posts plugin show recent posts under dropdown of menu in grid system. You can show text rollover effect after hover on image.

10 No CVEs
Developer Profile

WP Mega Menu Developer Profile

Themeum

14 plugins · 675K total installs

70
trust score
Avg Security Score
87/100
Avg Patch Time
269 days
View full developer profile
Detection Fingerprints

How We Detect WP Mega Menu

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-megamenu/css/frontend.css/wp-content/plugins/wp-megamenu/css/font-awesome.min.css/wp-content/plugins/wp-megamenu/css/responsive.css/wp-content/plugins/wp-megamenu/css/style.css/wp-content/plugins/wp-megamenu/js/frontend.js/wp-content/plugins/wp-megamenu/js/imagesloaded.min.js/wp-content/plugins/wp-megamenu/js/isotope.min.js/wp-content/plugins/wp-megamenu/js/superfish.js+19 more
Script Paths
/wp-content/plugins/wp-megamenu/js/frontend.js/wp-content/plugins/wp-megamenu/js/imagesloaded.min.js/wp-content/plugins/wp-megamenu/js/isotope.min.js/wp-content/plugins/wp-megamenu/js/superfish.js/wp-content/plugins/wp-megamenu/js/waypoints.min.js/wp-content/plugins/wp-megamenu/addons/wpmm-featuresbox/js/wpmm-featuresbox.js+8 more
Version Parameters
wp-megamenu/css/frontend.css?ver=wp-megamenu/css/font-awesome.min.css?ver=wp-megamenu/css/responsive.css?ver=wp-megamenu/css/style.css?ver=wp-megamenu/js/frontend.js?ver=wp-megamenu/js/imagesloaded.min.js?ver=wp-megamenu/js/isotope.min.js?ver=wp-megamenu/js/superfish.js?ver=wp-megamenu/js/waypoints.min.js?ver=wp-megamenu/addons/wpmm-featuresbox/css/wpmm-featuresbox.css?ver=wp-megamenu/addons/wpmm-featuresbox/js/wpmm-featuresbox.js?ver=wp-megamenu/widgets/accordions/css/style.css?ver=wp-megamenu/widgets/accordions/js/accordion.js?ver=wp-megamenu/widgets/categories/css/style.css?ver=wp-megamenu/widgets/categories/js/cat.js?ver=wp-megamenu/widgets/contactinfo/css/style.css?ver=wp-megamenu/widgets/contactinfo/js/contact.js?ver=wp-megamenu/widgets/image/css/style.css?ver=wp-megamenu/widgets/image/js/image.js?ver=wp-megamenu/widgets/posts/css/style.css?ver=wp-megamenu/widgets/posts/js/post.js?ver=wp-megamenu/widgets/search/css/style.css?ver=wp-megamenu/widgets/search/js/search.js?ver=wp-megamenu/widgets/text/css/style.css?ver=wp-megamenu/widgets/text/js/text.js?ver=wp-megamenu/widgets/video/css/style.css?ver=wp-megamenu/widgets/video/js/video.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpmm-feature-boxwpmmlayout1wpmmtextleftwpmm-feature-itemwpmm-feature-titlewpmm-feature-descwpmm-featurebox-hcolorwpmm-featurebox-btn+1 more
Data Attributes
data-hover-colordata-hover-bg-color
JS Globals
wpmm_featuresbox_widget
FAQ

Frequently Asked Questions about WP Mega Menu