Skip to main content

Jssor Slider CVE-2026-14244

| EUVDEUVD-2026-42159 HIGH
Path Traversal (CWE-22)
2026-07-08 Wordfence GHSA-j9c4-4mg9-mwfh
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable path traversal (AV:N/AC:L/PR:N/UI:N) yielding arbitrary file read, so C:H with no integrity or availability impact and unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 05:27 vuln.today
CVE Published
Jul 08, 2026 - 04:30 nvd
HIGH 7.5

DescriptionCVE.org

The Jssor Slider by jssor.com plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.1.24 via the 'url' parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

AnalysisAI

Arbitrary file disclosure in the Jssor Slider by jssor.com WordPress plugin (all versions through 3.1.24) lets unauthenticated remote attackers traverse the filesystem via the 'url' parameter and read the contents of any file the web server can access, such as wp-config.php. Wordfence disclosed the flaw and points to the plugin's admin controller code; no public exploit is identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running Jssor Slider plugin
Delivery
Send request with traversal in 'url' parameter
Exploit
Bypass path validation via '../' sequences
Execution
Read arbitrary server file (e.g. wp-config.php)
Impact
Harvest DB credentials and secret keys

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of the Jssor Slider WordPress plugin (versions ≤3.1.24), reachable over the network with no authentication and no user interaction (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) describes a cleanly exploitable, network-reachable, unauthenticated read primitive with no user interaction - high confidentiality impact and no integrity or availability impact, which is consistent with a file-read directory traversal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a single crafted HTTP request to the plugin's endpoint with a 'url' parameter set to a traversal sequence like '../../../../wp-config.php', and the server returns the file's contents, exposing database credentials and WordPress secret keys. With low attack complexity and no authentication or user interaction required, this is trivially scriptable and can be run at scale against many WordPress sites; no public POC is identified in the provided data.
Remediation No vendor-released patch identified at time of analysis - all versions through 3.1.24 are listed as vulnerable and no fixed version is provided, so upgrading is not yet a confirmed option; monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/0cd880c9-75fe-420b-ae41-558678adb57b?source=cve) and the plugin page for a release above 3.1.24. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations running Jssor Slider plugin versions ≤3.1.24, immediately deactivate the plugin on all affected systems, and document affected installations for remediation tracking. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14244 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy