The Advanced Menu Manager plugin for WordPress has a security vulnerability in versions up to 3.0.4. Attackers with an account on the WordPress website (or without one if they use a method called Cross-Site Request Forgery) can create or delete menus without permission. This is due to the lack of security checks in two of the plugin’s AJAX actions.