CVE-2025-28996
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-28996 is a Broken Access Control vulnerability in the WordPress GPP Slideshow plugin (up to version 1.3.5). It occurs due to missing authorization, authentication, or nonce token checks in certain functions, allowing users with low-level privileges (such as subscribers) to perform actions that should be restricted to higher-privileged roles. This means unauthorized users can exploit the plugin to bypass intended access controls. [1]
How can this vulnerability impact me? :
This vulnerability can allow low-privileged users to perform unauthorized actions within the GPP Slideshow plugin, potentially leading to unauthorized changes or manipulation of the website's slideshow content or related functionality. Since the plugin is abandoned and no official fix exists, the risk remains unless mitigated by virtual patching or removing the plugin. Exploitation could compromise site integrity and may require professional incident response if a compromise occurs. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying unauthorized actions performed by subscriber-level users that should require higher privileges. Since the vulnerability arises from missing authorization checks in the GPP Slideshow plugin, monitoring logs for unexpected access or changes related to the plugin's functionality is recommended. However, plugin-based malware scanners may be unreliable for detection. No specific commands are provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing and replacing the GPP Slideshow plugin with an alternative plugin, as no official fix or updated version is available. Applying a virtual patch (vPatch) from Patchstack is recommended to provide automatic protection against exploitation. Deactivating the plugin alone does not eliminate the risk. Consider engaging professional incident response services if compromise is suspected. [1]