Description
The Image Slider by Ays- Responsive Slider and Carousel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.0. This is due to missing or incorrect nonce validation on the bulk delete functionality. This makes it possible for unauthenticated attackers to delete arbitrary sliders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-12-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery allowing arbitrary slider deletion
Action: Patch Now
AI Analysis

Impact

The WordPress plugin Image Slider by Ays is vulnerable to a cross‑site request forgery attack that permits an unauthenticated attacker to delete sliders. The flaw arises from missing or incorrect nonce validation on the bulk delete functionality, allowing an attacker to trick an authenticated site administrator into executing a forged delete request. The effect is loss of slider content, potential disruption of the site’s appearance, and loss of administrative control over media items.

Affected Systems

All WordPress installations running the Image Slider by Ays‑Responsive Slider and Carousel plugin version 2.7.0 or earlier are affected. The vulnerability exists for the plugin as a whole, regardless of specific slider content, and therefore any site that has not upgraded past version 2.7.0 is at risk. There is no indication that other plugins or core WordPress would be impacted.

Risk and Exploitability

The CVSS score of 4.3 classifies the weakness as moderate severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. Because the vulnerability requires the victim to be an authenticated site administrator who can be lured into clicking a crafted link, the attack vector is inferred to be CSRF via a user action. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited or recognized as a known exploit.

Generated by OpenCVE AI on April 20, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Image Slider by Ays plugin to version 2.7.1 or later to remove the CSRF flaw
  • If an upgrade is not immediately possible, restrict or disable the bulk delete capability for users without administrative privileges
  • Audit the site for any deleted sliders and regenerate or restore them if possible
  • Monitor administrative activity logs for unexpected delete actions in the slider interface

Generated by OpenCVE AI on April 20, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro image Slider
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro image Slider
Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Image Slider by Ays- Responsive Slider and Carousel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.0. This is due to missing or incorrect nonce validation on the bulk delete functionality. This makes it possible for unauthenticated attackers to delete arbitrary sliders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Image Slider by Ays- Responsive Slider and Carousel <= 2.7.0 - Cross-Site Request Forgery to Arbitrary Slider Deletion
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Ays-pro Image Slider
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:06.587Z

Reserved: 2025-12-10T14:39:39.550Z

Link: CVE-2025-14454

cve-icon Vulnrichment

Updated: 2025-12-15T15:43:51.715Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:50.163

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses