What the vulnerability does
01Description
The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the server which can make remote code execution possible.
Explanation of Vulnerability in Simple Terms
02Summary
bSlider contains a missing authorization flaw that allows authenticated users with low privileges to perform actions restricted to higher-privilege roles. An attacker with a basic user account can read, modify, or delete sensitive data and settings without proper permission checks. All versions up to 1.1.30 are affected. Update to a version newer than 1.1.30 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete data and settings that should be restricted to administrators or higher-privilege users.
Potential impact on your site
04Site Impact
Unauthorized users can access and alter sensitive slider configurations, content, and potentially site-wide settings.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
August 12, 2025
CVE published
April 8, 2026
Record updated