A logic error in the permission check performed by the 'cpis_admin_init' function permits authenticated users with Contributor level access or higher to import arbitrary products using XML files that have already been uploaded to the server. This flaw effectively grants them the ability to alter product data within the plugin, potentially introducing malicious or malformed content. The vulnerability is limited to the import functionality; it does not grant arbitrary code execution or full administrative control over the site.

WordPress sites running the CP Image Store with Slideshow plugin version 1.1.9 or earlier, released by the vendor codepeople. These installations expose the import feature to unauthenticated product modification by any user with Contributor privileges or higher.

The CVSS score of 4.3 places the vulnerability in the moderate severity range, while the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires an existing authenticated account with at least Contributor role, which is typically sufficient for site contributors. An attacker would need to have the XML file already uploaded or upload a new one, then trigger the import routine. Due to the need for legitimate WordPress authentication and the absence of a remote code execution path, the overall risk to the site is considered moderate but not high.