{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22346", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:19.919Z", "datePublished": "2026-02-20T15:47:00.213Z", "dateUpdated": "2026-04-28T16:47:12.263Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "slider-responsive-slideshow", "product": "Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow", "vendor": "A WP Life", "versions": [{"lessThanOrEqual": "1.5.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:57.431Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in A WP Life Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow slider-responsive-slideshow allows Object Injection.<p>This issue affects Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow: from n/a through <= 1.5.4.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in A WP Life Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow slider-responsive-slideshow allows Object Injection.This issue affects Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow: from n/a through <= 1.5.4."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:41.341Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/slider-responsive-slideshow/vulnerability/wordpress-slider-responsive-slideshow-image-slider-gallery-slideshow-plugin-1-5-4-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow plugin <= 1.5.4 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T21:07:04.159531Z", "id": "CVE-2026-22346", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:47:12.263Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22346", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T21:07:04.159531Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T21:07:05.596Z"}}], "cna": {"title": "WordPress Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow plugin <= 1.5.4 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "A WP Life", "product": "Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.5.4"}], "packageName": "slider-responsive-slideshow", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:57.431Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/slider-responsive-slideshow/vulnerability/wordpress-slider-responsive-slideshow-image-slider-gallery-slideshow-plugin-1-5-4-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in A WP Life Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow slider-responsive-slideshow allows Object Injection.This issue affects Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow: from n/a through <= 1.5.4.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in A WP Life Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow slider-responsive-slideshow allows Object Injection.<p>This issue affects Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow: from n/a through <= 1.5.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:41.341Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22346", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:47:12.263Z", "dateReserved": "2026-01-07T12:21:19.919Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:47:00.213Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in A WP Life Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow slider-responsive-slideshow allows Object Injection.This issue affects Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow: from n/a through <= 1.5.4."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en A WP Life Slider Responsive Slideshow \u2013 deslizador de im\u00e1genes, presentaci\u00f3n de diapositivas de galer\u00eda slider-responsive-slideshow permite la inyecci\u00f3n de objetos. Este problema afecta a Slider Responsive Slideshow \u2013 deslizador de im\u00e1genes, presentaci\u00f3n de diapositivas de galer\u00eda: desde n/a hasta &lt;= 1.5.4."}], "id": "CVE-2026-22346", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:33.667", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/slider-responsive-slideshow/vulnerability/wordpress-slider-responsive-slideshow-image-slider-gallery-slideshow-plugin-1-5-4-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow", "source": "cna", "vendor": "A WP Life"}, "product": "slider_responsive_slideshow_\u2013_image_slider,_gallery_slideshow", "vendor": "a_wp_life"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T06:22:35.073058+00:00", "value": {"mitigation_remediation": ["Update Slider Responsive Slideshow to the latest version (\u2265\u202f1.5.5 if available).", "If an update is not feasible, disable or uninstall the plugin entirely.", "Restrict administrative access to the plugin\u2019s configuration pages to trusted users only.", "Deploy a web application firewall rule to block or log attempts to POST malicious serialized data.", "Regularly review server logs for signs of deserialization exploits or abnormal activity."], "summary": {"action": "Immediate Patch", "impact": "PHP Object Injection, potential code execution"}, "threat_synthesis": {"affected_systems": "The affected product is \"A WP Life: Slider Responsive Slideshow \u2013 Image slider, Gallery slideshow\". Versions from the earliest available release up to and including 1.5.4 are vulnerable. The specific affected versions are not enumerated beyond the upper bound of 1.5.4.", "description_and_impact": "The vulnerability is a PHP Object Injection flaw caused by deserialization of untrusted data. An attacker who can provide crafted serialized payloads to the plugin can instantiate arbitrary PHP objects, potentially leading to remote code execution or other destructive behaviors. The weakness is categorized as CWE\u2011502, where the application allows the creation of unintended objects via deserialization.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity. The EPSS score is below 1%, showing a low but nonzero exploitation probability at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers would most likely exploit the flaw by sending malicious serialized data through the plugin\u2019s web interfaces, such as POST requests or specially crafted URLs, leveraging the plugin\u2019s lack of input validation. Given the high impact and high score, the risk is significant for any site running the vulnerable plugin without mitigation."}}}}, "created": "2026-02-23T14:36:44.454387+00:00", "updated": "2026-04-16T06:30:06.022440+00:00", "vendors": ["a_wp_life", "a_wp_life$PRODUCT$slider_responsive_slideshow_\u2013_image_slider,_gallery_slideshow", "wordpress", "wordpress$PRODUCT$wordpress"]}