CVE-2025-4597 MEDIUM

CVE-2025-4597: Woo Slider Pro - Drag Drop Slider Builder For WooCommerce <= 1.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

Vendor Bc2018
Product Woo Slider Pro – Drag Drop Slider Builder For WooCommerce
Weakness CWE-862 · Missing authorization
Published May 30, 2025
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

The Woo Slider Pro – Drag Drop Slider Builder For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woo_slide_pro_delete_draft_preview AJAX action in all versions up to, and including, 1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.

Explanation of Vulnerability in Simple Terms

02Summary

Woo Slider Pro versions 1.12 and earlier lack proper authorization checks, allowing authenticated users with low privileges to modify slider content and settings they should not access. An attacker with a basic user account can alter or delete sliders created by other users or administrators. Update to a version newer than 1.12 to restore proper permission enforcement.

What an attacker can do

03Attacker Capabilities

Modify or delete sliders and their settings without proper authorization.

Potential impact on your site

04Site Impact

Any logged-in user can alter or delete sliders, risking site content integrity and customer experience.

Conditions required to exploit

05Prerequisites

Attacker needs a low-privilege user account on the WordPress site.

Key dates

06Disclosure timeline

May 30, 2025 CVE published
April 8, 2026 Record updated