{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0684", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-07T18:36:16.239Z", "datePublished": "2026-01-13T13:49:12.628Z", "dateUpdated": "2026-04-08T16:43:13.418Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:13.418Z"}, "affected": [{"vendor": "codepeople", "product": "CP Image Store with Slideshow", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for authenticated attackers, with Contributor-level access and above, to import arbitrary products via XML, if the XML file has already been uploaded to the server."}], "title": "CP Image Store with Slideshow <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Product Import", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/28e48604-2aaf-4e02-9b1e-cebf5f0bfcf7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/cp-image-store/tags/1.1.9/cp-image-store.php#L826"}, {"url": "https://plugins.trac.wordpress.org/changeset/3434716/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863 Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kazuma Matsumoto"}], "timeline": [{"time": "2026-01-07T18:51:41.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-12T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T14:13:48.128355Z", "id": "CVE-2026-0684", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T14:13:53.871Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0684", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-13T14:13:48.128355Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T14:13:50.331Z"}}], "cna": {"title": "CP Image Store with Slideshow <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Product Import", "credits": [{"lang": "en", "type": "finder", "value": "Kazuma Matsumoto"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "codepeople", "product": "CP Image Store with Slideshow", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-07T18:51:41.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-12T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/28e48604-2aaf-4e02-9b1e-cebf5f0bfcf7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/cp-image-store/tags/1.1.9/cp-image-store.php#L826"}, {"url": "https://plugins.trac.wordpress.org/changeset/3434716/"}], "descriptions": [{"lang": "en", "value": "The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for authenticated attackers, with Contributor-level access and above, to import arbitrary products via XML, if the XML file has already been uploaded to the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:13.418Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0684", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:43:13.418Z", "dateReserved": "2026-01-07T18:36:16.239Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-13T13:49:12.628Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for authenticated attackers, with Contributor-level access and above, to import arbitrary products via XML, if the XML file has already been uploaded to the server."}, {"lang": "es", "value": "El plugin CP Image Store with Slideshow para WordPress es vulnerable a bypass de autorizaci\u00f3n en todas las versiones hasta la 1.1.9, inclusive, debido a un error de l\u00f3gica en la comprobaci\u00f3n de permisos de la funci\u00f3n cpis_admin_init. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, importen productos arbitrarios v\u00eda XML, si el archivo XML ya ha sido subido al servidor."}], "id": "CVE-2026-0684", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-13T14:16:38.053", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cp-image-store/tags/1.1.9/cp-image-store.php#L826"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3434716/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/28e48604-2aaf-4e02-9b1e-cebf5f0bfcf7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T21:50:22.734542+00:00", "value": {"mitigation_remediation": ["Update the CP Image Store with Slideshow plugin to a version newer than 1.1.9 to remove the bug.", "Delete any XML files that were previously uploaded to the server that could be leveraged for import.", "If possible, disable the XML import feature or limit Contributor roles from performing product imports to prevent unauthorized product manipulation."], "summary": {"action": "Patch", "impact": "Authorization bypass allowing authenticated users with Contributor or higher rights to import arbitrary products via XML"}, "threat_synthesis": {"affected_systems": "WordPress sites running the CP Image Store with Slideshow plugin version 1.1.9 or earlier, released by the vendor codepeople. These installations expose the import feature to unauthenticated product modification by any user with Contributor privileges or higher.", "description_and_impact": "A logic error in the permission check performed by the 'cpis_admin_init' function permits authenticated users with Contributor level access or higher to import arbitrary products using XML files that have already been uploaded to the server. This flaw effectively grants them the ability to alter product data within the plugin, potentially introducing malicious or malformed content. The vulnerability is limited to the import functionality; it does not grant arbitrary code execution or full administrative control over the site.", "risk_and_exploitability": "The CVSS score of 4.3 places the vulnerability in the moderate severity range, while the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires an existing authenticated account with at least Contributor role, which is typically sufficient for site contributors. An attacker would need to have the XML file already uploaded or upload a new one, then trigger the import routine. Due to the need for legitimate WordPress authentication and the absence of a remote code execution path, the overall risk to the site is considered moderate but not high."}}}}, "created": "2026-01-14T11:09:19.372513+00:00", "updated": "2026-04-15T22:00:06.625286+00:00", "vendors": ["codepeople", "codepeople$PRODUCT$cp_image_store_with_slideshow", "wordpress", "wordpress$PRODUCT$wordpress"]}