{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4597", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-12T15:52:33.556Z", "datePublished": "2025-05-30T11:15:08.735Z", "dateUpdated": "2026-04-08T16:40:51.103Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:51.103Z"}, "affected": [{"vendor": "bc2018", "product": "Woo Slider Pro \u2013 Drag Drop Slider Builder For WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Woo Slider Pro \u2013 Drag Drop Slider Builder For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woo_slide_pro_delete_draft_preview AJAX action in all versions up to, and including, 1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts."}], "title": "Woo Slider Pro - Drag Drop Slider Builder For WooCommerce <= 1.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1eaee0f6-968c-4004-83e7-f79baf3ff88d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-slider-pro-drag-drop-slider-builder-for-woocommerce/trunk/inc/actions.php#L111"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Cheng Liu"}], "timeline": [{"time": "2025-05-29T21:41:13.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-30T12:29:06.998536Z", "id": "CVE-2025-4597", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T12:29:18.294Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4597", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-30T12:29:06.998536Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T12:29:14.043Z"}}], "cna": {"title": "Woo Slider Pro - Drag Drop Slider Builder For WooCommerce <= 1.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Cheng Liu"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}}], "affected": [{"vendor": "bc2018", "product": "Woo Slider Pro \u2013 Drag Drop Slider Builder For WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.12"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-29T21:41:13.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1eaee0f6-968c-4004-83e7-f79baf3ff88d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-slider-pro-drag-drop-slider-builder-for-woocommerce/trunk/inc/actions.php#L111"}], "descriptions": [{"lang": "en", "value": "The Woo Slider Pro \u2013 Drag Drop Slider Builder For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woo_slide_pro_delete_draft_preview AJAX action in all versions up to, and including, 1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:51.103Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4597", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:40:51.103Z", "dateReserved": "2025-05-12T15:52:33.556Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-30T11:15:08.735Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Woo Slider Pro \u2013 Drag Drop Slider Builder For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woo_slide_pro_delete_draft_preview AJAX action in all versions up to, and including, 1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts."}, {"lang": "es", "value": "El complemento Woo Slider Pro \u2013 Drag Drop Slider Builder para WooCommerce para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de comprobaci\u00f3n de capacidad en la acci\u00f3n AJAX woo_slide_pro_delete_draft_preview en todas las versiones hasta la 1.12 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, eliminen publicaciones arbitrarias."}], "id": "CVE-2025-4597", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-30T12:15:20.780", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-slider-pro-drag-drop-slider-builder-for-woocommerce/trunk/inc/actions.php#L111"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1eaee0f6-968c-4004-83e7-f79baf3ff88d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:53:48.736402+00:00", "value": {"mitigation_remediation": ["Upgrade Woo Slider Pro to the latest version that removes the missing authorization check", "If an update is unavailable, disable or delete the plugin to eliminate the vulnerable endpoint", "Ensure that Subscriber and lower\u2011privileged roles do not possess post\u2011deletion capabilities or monitor for anomalous delete requests"], "summary": {"action": "Immediate Patch", "impact": "Authenticated Post Deletion"}, "threat_synthesis": {"affected_systems": "This issue affects WordPress sites running the bc2018 Woo Slider Pro plugin, versions up to and including 1.12. The plug\u2011in\u2019s action is exposed through its administrative AJAX interface, and the flaw exists in all releases prior to 1.13.", "description_and_impact": "The Woo Slider Pro \u2013 Drag Drop Slider Builder For WooCommerce plugin contains a missing capability check on the woo_slide_pro_delete_draft_preview AJAX action. This flaw allows any authenticated user with Subscriber level access or higher to delete arbitrary posts, effectively compromising content integrity. The vulnerability is a Missing Authorization weakness (CWE\u2011862) and is classified as a Medium severity issue with a CVSS score of 6.5.", "risk_and_exploitability": "The EPSS score is less than 1\u202f%, indicating a low likelihood that attackers exploit this flaw. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires an authenticated session; an attacker can trigger the vulnerable AJAX endpoint from any page where the role has been granted, leading to unintended deletion of content. The risk is moderate, driven by the potential for data loss, but limited by the low exploitation probability and lack of public exploit evidence."}}}}, "created": "2026-04-22T15:00:05.618252+00:00", "updated": "2026-04-22T15:00:05.618268+00:00", "vendors": []}