CVE-2016-20074 MEDIUM

CVE-2016-20074: WordPress Lazy Content Slider Plugin 3.4 CSRF

Vendor Leethompson
Product Lazy Content Slider Plugin
Weakness CWE-352 · CSRF
Published June 15, 2026
Last update June 15, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

What the vulnerability does

01Description

WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into submitting POST requests to the plugin settings page via lzcs_admin.php to modify plugin configuration parameters like lzcs_color and lzcs_count.

Explanation of Vulnerability in Simple Terms

02Summary

The Lazy Content Slider Plugin for WordPress contains a cross-site request forgery (CSRF) vulnerability that allows an attacker to perform unauthorized actions on behalf of a logged-in administrator. An attacker can craft a malicious webpage that, when visited by an admin, triggers unwanted changes to plugin settings or content. The vulnerability affects version 3.4 and requires the attacker to trick an admin into visiting a crafted link.

What an attacker can do

03Attacker Capabilities

Perform unauthorized actions (modify settings, delete content) on behalf of a logged-in administrator without their knowledge.

Potential impact on your site

04Site Impact

An attacker can modify plugin settings or site content by exploiting an admin's active session, potentially defacing the site or altering slider configurations.

Conditions required to exploit

05Prerequisites

Attacker must trick a logged-in administrator into visiting a malicious webpage or clicking a crafted link.

Key dates

06Disclosure timeline

June 15, 2026 CVE published
June 15, 2026 Record updated

Related vulnerabilities

08Related CVE