CVE-2026-22489

Image Slider Slideshow <= 1.8 - Authenticated (Contributor+) Insecure Direct Object Reference

mediumAuthorization Bypass Through User-Controlled Key
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Image Slider Slideshow plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform unauthorized access.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.8
PublishedJanuary 7, 2026
Last updatedJanuary 14, 2026
Affected pluginimage-slider-slideshow
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-22489 (Image Slider Slideshow) ## 1. Vulnerability Summary The **Image Slider Slideshow** plugin for WordPress (versions <= 1.8) is vulnerable to an **Insecure Direct Object Reference (IDOR)**. The vulnerability exists because the plugin registers AJAX handler…

Show full research plan

Exploitation Research Plan: CVE-2026-22489 (Image Slider Slideshow)

1. Vulnerability Summary

The Image Slider Slideshow plugin for WordPress (versions <= 1.8) is vulnerable to an Insecure Direct Object Reference (IDOR). The vulnerability exists because the plugin registers AJAX handlers that perform sensitive operations (likely slider deletion or modification) based on a user-supplied ID parameter without verifying if the requesting user has the necessary permissions (e.g., manage_options) or ownership of the object. This allows an authenticated user with at least Contributor level access to modify or delete sliders created by administrators.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: iss_delete_slider (inferred based on common IDOR patterns in this plugin)
  • Vulnerable Parameter: id or slider_id
  • Authentication: Authenticated, Contributor role or higher.
  • Preconditions: At least one slider must exist in the system (created by an admin).

3. Code Flow

  1. Entry Point: A Contributor user sends a POST request to admin-ajax.php with action=iss_delete_slider.
  2. Hook Registration: The plugin registers the action using:
    add_action('wp_ajax_iss_delete_slider', 'iss_delete_slider_callback');
  3. Vulnerable Function: The iss_delete_slider_callback function is invoked.
  4. Missing Check: The function likely performs a nonce check (which a Contributor can pass if the nonce is exposed) but fails to call current_user_can('manage_options').
  5. Sink: The function retrieves the id from $_POST['id'] and passes it to a database query like:
    $wpdb->delete($table_name, array('id' => $id));

4. Nonce Acquisition Strategy

The plugin likely localizes a nonce for its AJAX operations. Based on the plugin structure, the nonce is likely registered in an admin-side script.

  1. Identify Script Localization: Search the source for wp_localize_script. It is likely localized under a variable name like iss_ajax_obj or iss_vars.
  2. Determine Access: Since the vulnerability requires Contributor access, check if the "Image Slider" menu is visible to Contributors. If not, the script might still be enqueued on all admin pages or via a shortcode.
  3. Execution Plan:
    • Log in as a Contributor.
    • Navigate to the WordPress Dashboard (/wp-admin/).
    • Use browser_eval to extract the nonce:
      browser_eval("window.iss_ajax_obj?.nonce || window.iss_vars?.nonce") (inferred keys).
    • If the nonce is not in the admin dashboard, create a page with the slider shortcode:
      wp post create --post_type=page --post_status=publish --post_content='[image-slider-slideshow]'
    • Navigate to that page and extract the nonce using the same browser_eval method.

5. Exploitation Strategy

The goal is to delete a slider created by an administrator.

  1. Step 1: Discover Target ID: List existing sliders using WP-CLI to identify a target ID.
  2. Step 2: Authenticate: Log in as a Contributor user.
  3. Step 3: Extract Nonce: Use the browser_eval method described in Section 4 to obtain a valid _wpnonce.
  4. Step 4: Execute Deletion: Send a POST request to admin-ajax.php using the http_request tool.

Example Request:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=iss_delete_slider&id=[TARGET_SLIDER_ID]&_wpnonce=[EXTRACTED_NONCE]
    
    (Note: Parameter names like id or slider_id should be verified against the source code or by intercepting a legitimate admin request.)

6. Test Data Setup

  1. Admin User: Create a slider using the plugin's dashboard (as Administrator).
    • wp eval "/* Code to programmatically create an ISS slider or use the UI via browser */"
  2. Identify ID: Get the ID of the newly created slider.
  3. Contributor User: Create a user with the contributor role.
    • wp user create attacker attacker@example.com --role=contributor --user_pass=password

7. Expected Results

  • HTTP Response: A successful request should return a 200 OK or a JSON success message (e.g., {"success":true}).
  • System State: The slider with the specified ID should be removed from the database.

8. Verification Steps

  1. Database Check: Use WP-CLI to verify the slider is gone:
    wp db query "SELECT * FROM wp_posts WHERE post_type='iss_slider' AND ID=[TARGET_SLIDER_ID]"
    (Note: Check if sliders use a custom table or CPT iss_slider / slider.)
  2. UI Check: Navigate to the Image Slider Slideshow dashboard as an admin and verify the slider is no longer listed.

9. Alternative Approaches

If iss_delete_slider is not the vulnerable action:

  • Check for iss_save_slider: Attempt to modify the settings of an admin's slider by changing its title or slides.
  • Check for iss_get_slider: Attempt to retrieve private slider configuration data (Inferred IDOR for Information Disclosure).
  • Check for Missing Nonce: Some versions may omit the check_ajax_referer call entirely, making the exploit possible without a nonce. Try the request without the _wpnonce parameter first.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Image Slider Slideshow plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) due to a lack of capability checks and ownership validation in its AJAX handlers. This allows authenticated users with Contributor-level access or higher to perform unauthorized actions, such as deleting or modifying sliders created by administrators, by providing the target slider's ID.

Vulnerable Code

// Inferred from plugin structure and research plan
// File: image-slider-slideshow/admin/admin-functions.php or similar

add_action('wp_ajax_iss_delete_slider', 'iss_delete_slider_callback');

function iss_delete_slider_callback() {
    // Vulnerability: No check for current_user_can('manage_options') or similar capability
    // Vulnerability: No validation that the user owns the slider being deleted
    $id = $_POST['id'];
    
    global $wpdb;
    $table_name = $wpdb->prefix . 'iss_sliders';
    $wpdb->delete($table_name, array('id' => $id));

    wp_send_json_success();
    wp_die();
}

Security Fix

--- a/admin/admin-functions.php
+++ b/admin/admin-functions.php
@@ -3,6 +3,11 @@
 function iss_delete_slider_callback() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => 'Unauthorized access' ) );
+        wp_die();
+    }
+
+    check_ajax_referer( 'iss_ajax_nonce', 'security' );
+
-    $id = $_POST['id'];
+    $id = intval( $_POST['id'] );
 
     global $wpdb;

Exploit Outline

The exploit targets the AJAX endpoint /wp-admin/admin-ajax.php with the action 'iss_delete_slider'. An attacker needs at least Contributor-level authentication to access the WordPress dashboard and obtain a valid security nonce (usually localized in the browser via wp_localize_script or present on pages where the plugin's shortcode is rendered). Once the nonce is obtained, the attacker sends a POST request with the 'action' parameter set to 'iss_delete_slider' and the 'id' parameter set to the ID of a slider created by an administrator. Because the server-side callback fails to verify the user's permissions or the object's ownership, the database record for the targeted slider is deleted.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.