{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25455", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:53.792Z", "datePublished": "2026-03-25T16:14:50.367Z", "dateUpdated": "2026-04-28T16:14:59.348Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "woocommerce-products-slider", "product": "Product Slider for WooCommerce", "vendor": "PickPlugins", "versions": [{"changes": [{"at": "1.13.62", "status": "unaffected"}], "lessThanOrEqual": "1.13.61", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "theviper17 | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:19.203Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in PickPlugins Product Slider for WooCommerce woocommerce-products-slider allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Product Slider for WooCommerce: from n/a through <= 1.13.61.</p>"}], "value": "Missing Authorization vulnerability in PickPlugins Product Slider for WooCommerce woocommerce-products-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Slider for WooCommerce: from n/a through <= 1.13.61."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:59.348Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-products-slider/vulnerability/wordpress-product-slider-for-woocommerce-plugin-1-13-60-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Product Slider for WooCommerce plugin <= 1.13.61 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T16:43:43.475265Z", "id": "CVE-2026-25455", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:43:28.091Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25455", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:53.792Z", "datePublished": "2026-03-25T16:14:50.367Z", "dateUpdated": "2026-04-28T01:43:28.091Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "woocommerce-products-slider", "product": "Product Slider for WooCommerce", "vendor": "PickPlugins", "versions": [{"changes": [{"at": "1.13.62", "status": "unaffected"}], "lessThanOrEqual": "1.13.61", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "theviper17 | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:19.203Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in PickPlugins Product Slider for WooCommerce woocommerce-products-slider allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Product Slider for WooCommerce: from n/a through <= 1.13.61.</p>"}], "value": "Missing Authorization vulnerability in PickPlugins Product Slider for WooCommerce woocommerce-products-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Slider for WooCommerce: from n/a through <= 1.13.61."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:09.949Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-products-slider/vulnerability/wordpress-product-slider-for-woocommerce-plugin-1-13-60-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Product Slider for WooCommerce plugin <= 1.13.61 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25455", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:43:43.475265Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:31:55.832Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in PickPlugins Product Slider for WooCommerce woocommerce-products-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Slider for WooCommerce: from n/a through <= 1.13.61."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante en PickPlugins Product Slider para WooCommerce woocommerce-products-slider permite Explotar Niveles de Seguridad de Control de Acceso Incorrectamente Configurados. Este problema afecta a Product Slider para WooCommerce: desde n/a hasta &lt;= 1.13.60."}], "id": "CVE-2026-25455", "lastModified": "2026-04-28T02:16:07.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:51.607", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-products-slider/vulnerability/wordpress-product-slider-for-woocommerce-plugin-1-13-60-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.13.60]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Product Slider for WooCommerce", "source": "cna", "vendor": "PickPlugins"}, "product": "product_slider_for_woocommerce", "vendor": "pickplugins"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T16:56:27.968613+00:00", "value": {"mitigation_remediation": ["Update the plugin to version 1.13.61 or later where the access control issue is resolved.", "If an immediate update is not possible, block unauthenticated access to the plugin\u2019s administrative URLs using a web application firewall or server\u2011level access control.", "Verify that all administrative actions are protected by proper user authentication in the plugin configuration.", "Monitor WordPress logs for unexpected slider modification attempts or anomalies in plugin activity."], "summary": {"action": "Upgrade", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "This issue affects the PickPlugins Product Slider for WooCommerce for all WordPress sites that have the plugin version n/a through <= 1.13.61. Any site running the plugin within that version range is vulnerable; the plugin must be updated to address the missing access control.", "description_and_impact": "The vulnerability is a missing authorization condition in PickPlugins Product Slider for WooCommerce, allowing exploitation of incorrectly configured access control security levels. Attackers can reach administrative actions or functionality within the plugin without proper authentication, potentially modifying slider content on WordPress sites and compromising site presentation. This unauthorized access aligns with the authentication\u2011authorization weakness identified by CWE\u2011862.", "risk_and_exploitability": "The CVSS score of 6.5 indicates medium severity. The EPSS score is less than 1%, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via unauthenticated HTTP requests to administrative endpoints of the plugin, based on the missing authorization requirement, though this inference is drawn from the description and not explicitly stated in the CVE text."}}}}, "created": "2026-03-25T21:44:24.233169+00:00", "updated": "2026-04-28T17:00:13.457898+00:00", "vendors": ["pickplugins", "pickplugins$PRODUCT$product_slider_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}