Home

Description

The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for authenticated attackers, with Contributor-level access and above, to import arbitrary products via XML, if the XML file has already been uploaded to the server.

PUBLISHED Reserved 2026-01-07 | Published 2026-01-13 | Updated 2026-01-13 | Assigner Wordfence




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-863 Incorrect Authorization

Product status

Default status
unaffected

* (semver)
affected

Timeline

2026-01-07:Vendor Notified
2026-01-12:Disclosed

Credits

Kazuma Matsumoto finder

References

www.wordfence.com/...-2aaf-4e02-9b1e-cebf5f0bfcf7?source=cve

plugins.trac.wordpress.org/.../tags/1.1.9/cp-image-store.php

plugins.trac.wordpress.org/changeset/3434716/

cve.org (CVE-2026-0684)

nvd.nist.gov (CVE-2026-0684)

Download JSON