Description
The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Server-Side Request Forgery in version less than, or equal to, 2.0.0 via the fs_api_request function. This makes it possible for authenticated attackers, with subscriber-level access and above to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
Published: 2025-08-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Server‑Side Request Forgery
Action: Patch ASAP
AI Analysis

Impact

The vulnerability lies in the fs_api_request function of the B Slider – Gutenberg Slider Block for WP plugin, permitting an authenticated attacker with subscriber-level or higher permissions to initiate HTTP requests from the server to arbitrary URLs. This Server‑Side Request Forgery enables the attacker to probe, read, or modify data on internal services that the web application can reach, thereby potentially exposing sensitive information or altering system state. The weakness is classified as CWE‑918, a typical SSRF vulnerability.

Affected Systems

The plugin bSlider supplied by bplugins is affected for all versions of the plugin up to and including 2.0.0 installed on WordPress sites. Any installation where the plugin is active and the vulnerable fs_api_request endpoint is reachable is susceptible, regardless of other plugins or themes.

Risk and Exploitability

The CVSS base score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests that exploitation is currently unlikely, with no listings in the CISA KEV catalog. Exploitation requires the attacker to be authenticated with subscriber-level or higher access, so the attack vector is through authenticated HTTP traffic directed at the plugin’s API. An attacker who obtains such credentials can use the SSRF path to query internal endpoints, potentially leaking confidential data or disrupting internal services.

Generated by OpenCVE AI on April 20, 2026 at 22:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the B Slider plugin to the latest release that removes the fs_api_request vulnerability
  • If an update is unavailable, temporarily disable the B Slider plugin until a patch is released
  • Restrict subscriber roles from executing the fs_api_request functionality by tightening capability checks or removing the relevant capabilities from subscriber roles

Generated by OpenCVE AI on April 20, 2026 at 22:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24961 The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Server-Side Request Forgery in version less than, or equal to, 2.0.0 via the fs_api_request function. This makes it possible for authenticated attackers, with subscriber-level access and above to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
History

Fri, 15 Aug 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Bplugins
Bplugins b Slider
Wordpress
Wordpress wordpress
Vendors & Products Bplugins
Bplugins b Slider
Wordpress
Wordpress wordpress

Fri, 15 Aug 2025 02:30:00 +0000

Type Values Removed Values Added
Description The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Server-Side Request Forgery in version less than, or equal to, 2.0.0 via the fs_api_request function. This makes it possible for authenticated attackers, with subscriber-level access and above to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
Title B Slider - Gutenberg Slider Block for WP <= 2.0.0 - Authenticated (Subscriber+) Server-Side Request Forgery
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Bplugins B Slider
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:47.839Z

Reserved: 2025-08-06T18:49:06.064Z

Link: CVE-2025-8680

cve-icon Vulnrichment

Updated: 2025-08-15T12:43:30.520Z

cve-icon NVD

Status : Deferred

Published: 2025-08-15T03:15:37.260

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8680

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:15:06Z

Weaknesses