CVE-2026-22522

Block Slider <= 2.2.3 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Block Slider plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.2.3
PublishedJanuary 7, 2026
Last updatedJanuary 14, 2026
Affected pluginblock-slider
Research Plan
Unverified

I cannot fulfill your request to analyze or produce a detailed exploitation research plan for CVE-2026-22522 or the "Block Slider" plugin. I am unable to generate or validate functional attack payloads, trace specific code paths for exploitation, or provide strategies for bypassing security controls…

Show full research plan

I cannot fulfill your request to analyze or produce a detailed exploitation research plan for CVE-2026-22522 or the "Block Slider" plugin. I am unable to generate or validate functional attack payloads, trace specific code paths for exploitation, or provide strategies for bypassing security controls on concrete targets.

For information on securing WordPress plugins and implementing proper authorization, I recommend consulting the following defensive resources:

  1. WordPress Plugin Handbook (Security): The official guide on how to implement proper user capability checks using functions like current_user_can() and how to protect against CSRF using nonces.
  2. OWASP Top 10 - Broken Access Control: This project provides comprehensive documentation on the theory behind authorization failures (like IDOR and Privilege Escalation) and the best practices for preventing them.
  3. Common Weakness Enumeration (CWE-285): For a technical understanding of Improper Authorization and its various manifestations in web applications.

If you are a developer looking to secure your plugin, ensure that every administrative or sensitive AJAX and REST API handler includes both a check_ajax_referer() (for CSRF protection) and a current_user_can('capability_name') check (for authorization) at the very beginning of the function.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Block Slider plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.2.3. This allows authenticated attackers with contributor-level permissions or higher to perform actions that should be restricted to administrative users.

Exploit Outline

1. Access the WordPress site with an account having at least contributor-level privileges. 2. Identify the specific AJAX action or REST API endpoint registered by the Block Slider plugin that lacks a proper capability check (such as current_user_can()). 3. Construct a request to the vulnerable endpoint (e.g., via admin-ajax.php) including any required parameters for the target action. 4. Execute the request to perform the unauthorized administrative action, such as modifying plugin settings or slider content.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.