CVE-2026-0684

The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for authenticated attackers, with Contributor-level access and above, to import arbitrary products via XML, if the XML file has already been uploaded to the server.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/cp-image-store/tags/1.1.9/cp-image-store.php#L826
https://plugins.trac.wordpress.org/changeset/3434716/
https://www.wordfence.com/threat-intel/vulnerabilities/id/28e48604-2aaf-4e02-9b1e-cebf5f0bfcf7?source=cve

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) El plugin CP Image Store with Slideshow para WordPress es vulnerable a bypass de autorización en todas las versiones hasta la 1.1.9, inclusive, debido a un error de lógica en la comprobación de permisos de la función cpis_admin_init. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, importen productos arbitrarios vía XML, si el archivo XML ya ha sido subido al servidor.

13 Jan 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-13 14:16

Updated : 2026-04-15 00:35

NVD link : CVE-2026-0684

Mitre link : CVE-2026-0684

CVE.ORG link : CVE-2026-0684

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

4.3 /10