What the vulnerability does
01Description
WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into submitting POST requests to the plugin settings page via lzcs_admin.php to modify plugin configuration parameters like lzcs_color and lzcs_count.
Explanation of Vulnerability in Simple Terms
02Summary
The Lazy Content Slider Plugin for WordPress contains a cross-site request forgery (CSRF) vulnerability that allows an attacker to perform unauthorized actions on behalf of a logged-in administrator. An attacker can craft a malicious webpage that, when visited by an admin, triggers unwanted changes to plugin settings or content. The vulnerability affects version 3.4 and requires the attacker to trick an admin into visiting a crafted link.
What an attacker can do
03Attacker Capabilities
Perform unauthorized actions (modify settings, delete content) on behalf of a logged-in administrator without their knowledge.
Potential impact on your site
04Site Impact
An attacker can modify plugin settings or site content by exploiting an admin's active session, potentially defacing the site or altering slider configurations.
Conditions required to exploit
05Prerequisites
Attacker must trick a logged-in administrator into visiting a malicious webpage or clicking a crafted link.
Key dates
06Disclosure timeline
June 15, 2026
CVE published
June 15, 2026
Record updated