Impact
The vulnerability is a cross‑site request forgery flaw in WordPress Lazy Content Slider Plugin version 3.4. Attackers can construct a malicious HTML form that submits a POST request to the internal settings page lzcs_admin.php. Because the plugin does not verify the requester’s intent, an authenticated administrator who visits the crafted page will unknowingly change plugin options such as lzcs_color and lzcs_count, granting the attacker the ability to tamper with the plugin’s configuration and potentially alter the site’s appearance or behavior. The flaw is classified as CWE‑352, reflecting a lack of CSRF protection.
Affected Systems
The affected product is Lazy Content Slider Plugin by leethompson, version 3.4; no other versions or variants are listed in the CNA data.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity, with exploitation requiring an authenticated administrator but not a deeper system compromise. Because the exploit relies on a predictable form submission endpoint and the absence of CSRF checks, it can be performed via a standard web page or email link. The EPSS score of 0.00106 indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Thus, while the risk is not critical, the attack vector is realistic enough that administrators should apply mitigations as soon as possible.
OpenCVE Enrichment