CVE-2025-39531 MEDIUM

CVE-2025-39531: WordPress Slazzer Background Changer plugin <= 3.14 - Broken Access Control Vulnerability

Vendor Slazzercom
Product Slazzer Background Changer
Weakness CWE-862 · Missing authorization
Published April 16, 2025
Last update April 28, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in slazzercom Slazzer Background Changer slazzer-background-changer allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Slazzer Background Changer: from n/a through <= 3.14.

Explanation of Vulnerability in Simple Terms

02Summary

Slazzer Background Changer versions 3.14 and earlier lack proper authorization checks, allowing unauthenticated attackers to disrupt the service. The vulnerability requires only network access and no user interaction. An attacker can make repeated requests to cause a denial-of-service condition affecting availability.

What an attacker can do

03Attacker Capabilities

Make the service unavailable by sending repeated requests without authentication.

Potential impact on your site

04Site Impact

Service disruptions if Slazzer Background Changer is integrated into your site or workflow.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 16, 2025 CVE published
April 28, 2026 Record updated