CVE-2026-25455
Missing Authorization in WooCommerce Product Slider Allows Unauthorized Access
Publication date: 2026-03-25
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pickplugins | product_slider_for_woocommerce | to 1.13.60 (inc) |
| pickplugins | woocommerce_products_slider | From 1.0.0 (inc) to 1.13.60 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-25455 is a medium severity Broken Access Control vulnerability in the WordPress Product Slider for WooCommerce plugin, affecting versions up to and including 1.13.60.
The vulnerability arises from missing authorization, authentication, or nonce token checks in certain plugin functions, which allows unprivileged users such as subscribers or developers to perform actions that should be restricted to higher privileged roles.
This issue is classified under OWASP Top 10 A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized actions being performed by users without the necessary privileges, potentially compromising the security and integrity of your WooCommerce site.
Because the vulnerability allows mass exploitation across numerous websites regardless of their traffic or popularity, it poses a moderate risk with a CVSS score of 6.5.
Until an official patch is released, users must rely on mitigation rules that block all related requests to prevent exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks in certain plugin functions, allowing unprivileged users to perform privileged actions.
Detection involves monitoring for unauthorized or suspicious requests targeting the Product Slider for WooCommerce plugin, especially those attempting to perform actions reserved for higher privileged roles.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the Patchstack mitigation rule that blocks all legitimate and illegitimate requests related to the vulnerability to cover all attack scenarios.
Users are advised to update the Product Slider for WooCommerce plugin immediately once a safe patch is available.
Until a patch is released, seek assistance from hosting providers or web developers to apply available mitigations or use automated vulnerability mitigation services offered by Patchstack.