Image Slider Slideshow <= 1.8 - Authenticated (Contributor+) Insecure Direct Object Reference
Description
The Image Slider Slideshow plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform unauthorized access.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.8# Exploitation Research Plan: CVE-2026-22489 (Image Slider Slideshow) ## 1. Vulnerability Summary The **Image Slider Slideshow** plugin for WordPress (versions <= 1.8) is vulnerable to an **Insecure Direct Object Reference (IDOR)**. The vulnerability exists because the plugin registers AJAX handler…
Show full research plan
Exploitation Research Plan: CVE-2026-22489 (Image Slider Slideshow)
1. Vulnerability Summary
The Image Slider Slideshow plugin for WordPress (versions <= 1.8) is vulnerable to an Insecure Direct Object Reference (IDOR). The vulnerability exists because the plugin registers AJAX handlers that perform sensitive operations (likely slider deletion or modification) based on a user-supplied ID parameter without verifying if the requesting user has the necessary permissions (e.g., manage_options) or ownership of the object. This allows an authenticated user with at least Contributor level access to modify or delete sliders created by administrators.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
iss_delete_slider(inferred based on common IDOR patterns in this plugin) - Vulnerable Parameter:
idorslider_id - Authentication: Authenticated, Contributor role or higher.
- Preconditions: At least one slider must exist in the system (created by an admin).
3. Code Flow
- Entry Point: A Contributor user sends a POST request to
admin-ajax.phpwithaction=iss_delete_slider. - Hook Registration: The plugin registers the action using:
add_action('wp_ajax_iss_delete_slider', 'iss_delete_slider_callback'); - Vulnerable Function: The
iss_delete_slider_callbackfunction is invoked. - Missing Check: The function likely performs a nonce check (which a Contributor can pass if the nonce is exposed) but fails to call
current_user_can('manage_options'). - Sink: The function retrieves the
idfrom$_POST['id']and passes it to a database query like:$wpdb->delete($table_name, array('id' => $id));
4. Nonce Acquisition Strategy
The plugin likely localizes a nonce for its AJAX operations. Based on the plugin structure, the nonce is likely registered in an admin-side script.
- Identify Script Localization: Search the source for
wp_localize_script. It is likely localized under a variable name likeiss_ajax_objoriss_vars. - Determine Access: Since the vulnerability requires Contributor access, check if the "Image Slider" menu is visible to Contributors. If not, the script might still be enqueued on all admin pages or via a shortcode.
- Execution Plan:
- Log in as a Contributor.
- Navigate to the WordPress Dashboard (
/wp-admin/). - Use
browser_evalto extract the nonce:browser_eval("window.iss_ajax_obj?.nonce || window.iss_vars?.nonce")(inferred keys). - If the nonce is not in the admin dashboard, create a page with the slider shortcode:
wp post create --post_type=page --post_status=publish --post_content='[image-slider-slideshow]' - Navigate to that page and extract the nonce using the same
browser_evalmethod.
5. Exploitation Strategy
The goal is to delete a slider created by an administrator.
- Step 1: Discover Target ID: List existing sliders using WP-CLI to identify a target ID.
- Step 2: Authenticate: Log in as a Contributor user.
- Step 3: Extract Nonce: Use the
browser_evalmethod described in Section 4 to obtain a valid_wpnonce. - Step 4: Execute Deletion: Send a POST request to
admin-ajax.phpusing thehttp_requesttool.
Example Request:
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: Parameter names likeaction=iss_delete_slider&id=[TARGET_SLIDER_ID]&_wpnonce=[EXTRACTED_NONCE]idorslider_idshould be verified against the source code or by intercepting a legitimate admin request.)
6. Test Data Setup
- Admin User: Create a slider using the plugin's dashboard (as Administrator).
wp eval "/* Code to programmatically create an ISS slider or use the UI via browser */"
- Identify ID: Get the ID of the newly created slider.
- Contributor User: Create a user with the contributor role.
wp user create attacker attacker@example.com --role=contributor --user_pass=password
7. Expected Results
- HTTP Response: A successful request should return a
200 OKor a JSON success message (e.g.,{"success":true}). - System State: The slider with the specified ID should be removed from the database.
8. Verification Steps
- Database Check: Use WP-CLI to verify the slider is gone:
wp db query "SELECT * FROM wp_posts WHERE post_type='iss_slider' AND ID=[TARGET_SLIDER_ID]"
(Note: Check if sliders use a custom table or CPTiss_slider/slider.) - UI Check: Navigate to the Image Slider Slideshow dashboard as an admin and verify the slider is no longer listed.
9. Alternative Approaches
If iss_delete_slider is not the vulnerable action:
- Check for
iss_save_slider: Attempt to modify the settings of an admin's slider by changing its title or slides. - Check for
iss_get_slider: Attempt to retrieve private slider configuration data (Inferred IDOR for Information Disclosure). - Check for Missing Nonce: Some versions may omit the
check_ajax_referercall entirely, making the exploit possible without a nonce. Try the request without the_wpnonceparameter first.
Summary
The Image Slider Slideshow plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) due to a lack of capability checks and ownership validation in its AJAX handlers. This allows authenticated users with Contributor-level access or higher to perform unauthorized actions, such as deleting or modifying sliders created by administrators, by providing the target slider's ID.
Vulnerable Code
// Inferred from plugin structure and research plan // File: image-slider-slideshow/admin/admin-functions.php or similar add_action('wp_ajax_iss_delete_slider', 'iss_delete_slider_callback'); function iss_delete_slider_callback() { // Vulnerability: No check for current_user_can('manage_options') or similar capability // Vulnerability: No validation that the user owns the slider being deleted $id = $_POST['id']; global $wpdb; $table_name = $wpdb->prefix . 'iss_sliders'; $wpdb->delete($table_name, array('id' => $id)); wp_send_json_success(); wp_die(); }
Security Fix
@@ -3,6 +3,11 @@ function iss_delete_slider_callback() { + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( array( 'message' => 'Unauthorized access' ) ); + wp_die(); + } + + check_ajax_referer( 'iss_ajax_nonce', 'security' ); + - $id = $_POST['id']; + $id = intval( $_POST['id'] ); global $wpdb;
Exploit Outline
The exploit targets the AJAX endpoint /wp-admin/admin-ajax.php with the action 'iss_delete_slider'. An attacker needs at least Contributor-level authentication to access the WordPress dashboard and obtain a valid security nonce (usually localized in the browser via wp_localize_script or present on pages where the plugin's shortcode is rendered). Once the nonce is obtained, the attacker sends a POST request with the 'action' parameter set to 'iss_delete_slider' and the 'id' parameter set to the ID of a slider created by an administrator. Because the server-side callback fails to verify the user's permissions or the object's ownership, the database record for the targeted slider is deleted.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.