CVE-2026-22346 HIGH

CVE-2026-22346: WordPress Slider Responsive Slideshow – Image slider, Gallery slideshow plugin <= 1.5.4 - PHP Object Injection vulnerability

Vendor A Wp Life
Product Slider Responsive Slideshow – Image slider, Gallery slideshow
Weakness CWE-502 · Unsafe deserialization
Published February 20, 2026
Last update April 28, 2026
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of Untrusted Data vulnerability in A WP Life Slider Responsive Slideshow – Image slider, Gallery slideshow slider-responsive-slideshow allows Object Injection.This issue affects Slider Responsive Slideshow – Image slider, Gallery slideshow: from n/a through <= 1.5.4.

Explanation of Vulnerability in Simple Terms

02Summary

The Slider Responsive Slideshow plugin for WordPress contains a deserialization vulnerability in versions up to 1.5.4. An authenticated attacker with low privileges can send a specially crafted request to deserialize untrusted data, leading to remote code execution. This allows complete compromise of the affected WordPress site, including reading sensitive data, modifying content, and disrupting service.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site and fully compromise it.

Potential impact on your site

04Site Impact

Any authenticated user can take over your site, steal data, inject malware, or take it offline.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress account (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

February 20, 2026 CVE published
April 28, 2026 Record updated