Description
Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions.
Published: 2026-06-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to execute code remotely via the editor function of the MetaSlider Responsive Slider plugin. This remote code execution flaw can be leveraged to run arbitrary PHP scripts, potentially compromising the entire WordPress site. The weakness is identified as CWE-94, which represents code injection or execution vulnerabilities.

Affected Systems

Vendors and products affected include MetaSlider: Responsive Slider by MetaSlider. All installations running version 3.106.0 or earlier of the plugin are vulnerable. The latest safe release is 3.107.0 and later.

Risk and Exploitability

The CVSS score of 9.1 reflects a high severity, and although the EPSS score is below 1%, indicating a low probability of widespread exploitation at this time, the impact remains critical. The vulnerability is not listed in CISA KEV. Attackers would likely need access to the WordPress admin editor interface or the ability to inject rogue content into it, which is inferred from the description. Once executed, code could run with the permissions of the web server process.

Generated by OpenCVE AI on June 16, 2026 at 20:15 UTC.

Remediation

Vendor Solution

Update the WordPress Responsive Slider by MetaSlider Plugin to the latest available version (at least 3.107.0).

OpenCVE Recommended Actions

  • Upgrade the WordPress Responsive Slider by MetaSlider plugin to version 3.107.0 or later.
  • Disable or remove any custom editor scripts until the update is installed to prevent payload injection.
  • Restrict administrative access to trusted users and monitor logs for signs of unauthorized PHP code execution.

Generated by OpenCVE AI on June 16, 2026 at 20:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Metaslider
Metaslider responsive Slider By Metaslider
Wordpress
Wordpress wordpress
Vendors & Products Metaslider
Metaslider responsive Slider By Metaslider
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions.
Title WordPress Responsive Slider by MetaSlider plugin <= 3.106.0 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Metaslider Responsive Slider By Metaslider
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T12:37:22.979Z

Reserved: 2026-04-07T10:41:57.169Z

Link: CVE-2026-39465

cve-icon Vulnrichment

Updated: 2026-06-16T12:37:15.310Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:43.480

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39465

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:30:03Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')