Description
WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into submitting POST requests to the plugin settings page via lzcs_admin.php to modify plugin configuration parameters like lzcs_color and lzcs_count.
Published: 2026-06-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross‑site request forgery flaw in WordPress Lazy Content Slider Plugin version 3.4. Attackers can construct a malicious HTML form that submits a POST request to the internal settings page lzcs_admin.php. Because the plugin does not verify the requester’s intent, an authenticated administrator who visits the crafted page will unknowingly change plugin options such as lzcs_color and lzcs_count, granting the attacker the ability to tamper with the plugin’s configuration and potentially alter the site’s appearance or behavior. The flaw is classified as CWE‑352, reflecting a lack of CSRF protection.

Affected Systems

The affected product is Lazy Content Slider Plugin by leethompson, version 3.4; no other versions or variants are listed in the CNA data.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, with exploitation requiring an authenticated administrator but not a deeper system compromise. Because the exploit relies on a predictable form submission endpoint and the absence of CSRF checks, it can be performed via a standard web page or email link. The EPSS score of 0.00106 indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Thus, while the risk is not critical, the attack vector is realistic enough that administrators should apply mitigations as soon as possible.

Generated by OpenCVE AI on June 18, 2026 at 01:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Lazy Content Slider Plugin to a version that contains the CSRF fix; if no newer version exists, consider replacing the plugin with a more secure alternative.
  • If an upgrade cannot be performed immediately, restrict access to the lzcs_admin.php endpoint by IP whitelisting or by removing direct URL exposure so that only trusted administrators can reach it.
  • Add CSRF protection to the plugin’s admin forms by implementing a token mechanism or by using WordPress’s built‑in nonce system (wp_nonce_field) when interacting with lzcs_admin.php.

Generated by OpenCVE AI on June 18, 2026 at 01:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Leethompson
Leethompson lazy Content Slider Plugin
Wordpress
Wordpress wordpress
Vendors & Products Leethompson
Leethompson lazy Content Slider Plugin
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into submitting POST requests to the plugin settings page via lzcs_admin.php to modify plugin configuration parameters like lzcs_color and lzcs_count.
Title WordPress Lazy Content Slider Plugin 3.4 CSRF
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}


Subscriptions

Leethompson Lazy Content Slider Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T16:34:09.967Z

Reserved: 2026-06-15T11:41:35.776Z

Link: CVE-2016-20074

cve-icon Vulnrichment

Updated: 2026-06-15T16:34:06.130Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:30.663

Modified: 2026-06-15T20:50:47.973

Link: CVE-2016-20074

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:09:24Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)