CVE-2026-0684
📋 TL;DR
The CP Image Store with Slideshow WordPress plugin has an authorization bypass vulnerability that allows authenticated users with Contributor-level access or higher to import arbitrary products via XML files. This affects all versions up to 1.1.9 due to a logic error in permission checking. Attackers can exploit this if they can upload XML files to the server.
💻 Affected Systems
- CP Image Store with Slideshow WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could import malicious products containing backdoors, malware, or defacement content, potentially leading to complete site compromise.
Likely Case
Attackers import unauthorized products or content, potentially defacing the site or inserting malicious links/ads.
If Mitigated
With proper access controls and file upload restrictions, impact is limited to unauthorized content import within the plugin's functionality.
🎯 Exploit Status
Exploitation requires authenticated access and XML file upload capability. The vulnerability is in the permission check logic of the cpis_admin_init function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.0
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3434716/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find 'CP Image Store with Slideshow'. 4. Click 'Update Now' if available. 5. If not, download version 1.2.0 from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate cp-image-store
Restrict XML uploads
linuxBlock XML file uploads via .htaccess or web server configuration
<FilesMatch "\.xml$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove Contributor and higher access from untrusted users
- Implement strict file upload validation to block XML files
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > CP Image Store with Slideshow version. If version is 1.1.9 or lower, you are vulnerable.Check Version:
wp plugin get cp-image-store --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.2.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual XML file uploads to WordPress media library
- Product import activity from non-admin users
- Failed permission checks in plugin logs
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'action=cpis_import_products' parameter
- XML file uploads to WordPress media endpoints
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters.action="cpis_import_products")