CVE-2026-0684
Unknown Unknown - Not Provided

Authorization Bypass in CP Image Store Plugin Allows Product Import

Vulnerability report for CVE-2026-0684, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: Wordfence

Description

The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for authenticated attackers, with Contributor-level access and above, to import arbitrary products via XML, if the XML file has already been uploaded to the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-07-06
AI Q&A
2026-01-14
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
unknown_vendor cp_image_store_with_slideshow to 1.1.9 (inc)
unknown_vendor cp_image_store_with_slideshow 1.2.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

To detect this vulnerability, you should check if the WordPress site is running the CP Image Store with Slideshow plugin version 1.1.9 or earlier. Since the vulnerability involves an authorization bypass in the import functionality, monitoring for suspicious POST requests to the import endpoint with the parameter 'cpis_import' could indicate exploitation attempts. You can use web server logs or tools like Wireshark to look for POST requests containing 'cpis_import'. Additionally, checking the plugin version can be done via WP-CLI with the command: `wp plugin list --field=version --name=cp-image-store`. There are no specific commands provided in the resources for direct detection of exploit attempts. [2]

Mitigation Strategies

The immediate mitigation step is to update the CP Image Store with Slideshow plugin to version 1.2.0 or later, where the vulnerability has been fixed by correcting the permission and nonce verification logic. Until the update can be applied, restrict Contributor-level and above users from accessing the import functionality or disable the plugin if possible to prevent exploitation. [2]

Executive Summary

The CP Image Store with Slideshow plugin for WordPress has a logic error in its 'cpis_admin_init' function's permission check. This flaw allows authenticated users with Contributor-level access or higher to bypass authorization and import arbitrary products via XML files, provided the XML file has already been uploaded to the server.

Impact Analysis

This vulnerability can allow attackers with Contributor-level access to import arbitrary products into the WordPress site without proper authorization. This could lead to unauthorized content or data being added to the site, potentially impacting site integrity and trustworthiness.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0684. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart