CVE-2026-7636 MEDIUM

CVE-2026-7636: Slider by Soliloquy <= 2.8.1 - Authenticated (Subscriber+) Information Disclosure via REST API Endpoint

Vendor Smub
Product Slider by Soliloquy – Responsive Image Slider for WordPress
Weakness CWE-200 · Info exposure
Published May 22, 2026
Last update May 22, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the map_meta_cap. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract draft slider metadata including unpublished media URLs, captions, and slider configuration authored by administrators or editors.

Explanation of Vulnerability in Simple Terms

02Summary

The Slider by Soliloquy plugin for WordPress versions 2.8.1 and earlier contains an information exposure vulnerability. An authenticated user with low privileges can read sensitive data that should not be accessible to them. The vulnerability requires network access but no user interaction. Site administrators should update the plugin to a version newer than 2.8.1.

What an attacker can do

03Attacker Capabilities

Read sensitive information not intended for their privilege level.

Potential impact on your site

04Site Impact

Unauthorized users can access private or restricted data stored by the plugin.

Conditions required to exploit

05Prerequisites

Attacker must be authenticated as a low-privilege user (e.g., subscriber or contributor).

Key dates

06Disclosure timeline

May 22, 2026 CVE published
May 22, 2026 Record updated