CVE-2025-8418 HIGH

CVE-2025-8418: B Slider- Gutenberg Slider Block for WP <= 1.1.30 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Plugin Installation

Vendor Bplugins
Product bSlider – Create Responsive Image, Post, Product, and Video Sliders
Weakness CWE-862 · Missing authorization
Published August 12, 2025
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the server which can make remote code execution possible.

Explanation of Vulnerability in Simple Terms

02Summary

bSlider contains a missing authorization flaw that allows authenticated users with low privileges to perform actions restricted to higher-privilege roles. An attacker with a basic user account can read, modify, or delete sensitive data and settings without proper permission checks. All versions up to 1.1.30 are affected. Update to a version newer than 1.1.30 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete data and settings that should be restricted to administrators or higher-privilege users.

Potential impact on your site

04Site Impact

Unauthorized users can access and alter sensitive slider configurations, content, and potentially site-wide settings.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

August 12, 2025 CVE published
April 8, 2026 Record updated