Description
The Woo Slider Pro – Drag Drop Slider Builder For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woo_slide_pro_delete_draft_preview AJAX action in all versions up to, and including, 1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.
Published: 2025-05-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Post Deletion
Action: Immediate Patch
AI Analysis

Impact

The Woo Slider Pro – Drag Drop Slider Builder For WooCommerce plugin contains a missing capability check on the woo_slide_pro_delete_draft_preview AJAX action. This flaw allows any authenticated user with Subscriber level access or higher to delete arbitrary posts, effectively compromising content integrity. The vulnerability is a Missing Authorization weakness (CWE‑862) and is classified as a Medium severity issue with a CVSS score of 6.5.

Affected Systems

This issue affects WordPress sites running the bc2018 Woo Slider Pro plugin, versions up to and including 1.12. The plug‑in’s action is exposed through its administrative AJAX interface, and the flaw exists in all releases prior to 1.13.

Risk and Exploitability

The EPSS score is less than 1 %, indicating a low likelihood that attackers exploit this flaw. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires an authenticated session; an attacker can trigger the vulnerable AJAX endpoint from any page where the role has been granted, leading to unintended deletion of content. The risk is moderate, driven by the potential for data loss, but limited by the low exploitation probability and lack of public exploit evidence.

Generated by OpenCVE AI on April 22, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Woo Slider Pro to the latest version that removes the missing authorization check
  • If an update is unavailable, disable or delete the plugin to eliminate the vulnerable endpoint
  • Ensure that Subscriber and lower‑privileged roles do not possess post‑deletion capabilities or monitor for anomalous delete requests

Generated by OpenCVE AI on April 22, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16476 The Woo Slider Pro – Drag Drop Slider Builder For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woo_slide_pro_delete_draft_preview AJAX action in all versions up to, and including, 1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.
History

Fri, 30 May 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 30 May 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Woo Slider Pro – Drag Drop Slider Builder For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woo_slide_pro_delete_draft_preview AJAX action in all versions up to, and including, 1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.
Title Woo Slider Pro - Drag Drop Slider Builder For WooCommerce <= 1.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:40:51.103Z

Reserved: 2025-05-12T15:52:33.556Z

Link: CVE-2025-4597

cve-icon Vulnrichment

Updated: 2025-05-30T12:29:14.043Z

cve-icon NVD

Status : Deferred

Published: 2025-05-30T12:15:20.780

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4597

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:00:05Z

Weaknesses