What the vulnerability does
01Description
The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for authenticated attackers, with Contributor-level access and above, to import arbitrary products via XML, if the XML file has already been uploaded to the server.
Explanation of Vulnerability in Simple Terms
02Summary
CP Image Store with Slideshow versions 1.1.9 and earlier contain an authorization flaw that allows authenticated users to modify content they should not have access to. The vulnerability requires a valid user account but no special privileges. An attacker with low-level access can alter image data or slideshow settings, potentially affecting site integrity.
What an attacker can do
03Attacker Capabilities
Modify or alter images and slideshow content that the attacker should not have permission to change.
Potential impact on your site
04Site Impact
Authenticated users can tamper with image galleries and slideshows beyond their assigned permissions, risking content corruption.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account with low-level privileges on the site.
Key dates
06Disclosure timeline
January 13, 2026
CVE published
April 8, 2026
Record updated