CVE-2026-0684
Unknown Unknown - Not Provided
Authorization Bypass in CP Image Store Plugin Allows Product Import

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: Wordfence

Description
The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for authenticated attackers, with Contributor-level access and above, to import arbitrary products via XML, if the XML file has already been uploaded to the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0684
EUVD
EUVD-2026-2352
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
unknown_vendor cp_image_store_with_slideshow to 1.1.9 (inc)
unknown_vendor cp_image_store_with_slideshow 1.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CP Image Store with Slideshow plugin for WordPress has a logic error in its 'cpis_admin_init' function's permission check. This flaw allows authenticated users with Contributor-level access or higher to bypass authorization and import arbitrary products via XML files, provided the XML file has already been uploaded to the server.

Impact Analysis

This vulnerability can allow attackers with Contributor-level access to import arbitrary products into the WordPress site without proper authorization. This could lead to unauthorized content or data being added to the site, potentially impacting site integrity and trustworthiness.

Detection Guidance

To detect this vulnerability, you should check if the WordPress site is running the CP Image Store with Slideshow plugin version 1.1.9 or earlier. Since the vulnerability involves an authorization bypass in the import functionality, monitoring for suspicious POST requests to the import endpoint with the parameter 'cpis_import' could indicate exploitation attempts. You can use web server logs or tools like Wireshark to look for POST requests containing 'cpis_import'. Additionally, checking the plugin version can be done via WP-CLI with the command: `wp plugin list --field=version --name=cp-image-store`. There are no specific commands provided in the resources for direct detection of exploit attempts. [2]

Mitigation Strategies

The immediate mitigation step is to update the CP Image Store with Slideshow plugin to version 1.2.0 or later, where the vulnerability has been fixed by correcting the permission and nonce verification logic. Until the update can be applied, restrict Contributor-level and above users from accessing the import functionality or disable the plugin if possible to prevent exploitation. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0684. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart