Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Ays Pro Image Slider by Ays ays-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider by Ays: from n/a through <= 2.7.1.
AnalysisAI
Image Slider By Ays versions 2.7.1 and earlier contain a missing authorization flaw that allows unauthenticated remote attackers to modify content through improper access control validation. The vulnerability affects the plugin's core functionality and could enable unauthorized changes to website content without proper authentication checks. No patch is currently available.
Technical ContextAI
The Ays Pro Image Slider (CPE: cpe:2.3:a:ays-slider:image_slider_by_ays) is a WordPress plugin used to create and manage responsive image sliders. The vulnerability stems from CWE-862 (Missing Authorization), which occurs when the application fails to properly verify that a user has permission to access a resource before granting access. In this case, the plugin's access control mechanisms for image slider operations are insufficiently validated, allowing attackers to bypass authentication checks on API endpoints or administrative functions. The vulnerability likely affects REST API endpoints or WordPress AJAX handlers that manage slider content without proper capability checks (typically checking for 'manage_options' or custom plugin capabilities).
RemediationAI
Immediately upgrade the Ays Pro Image Slider plugin to version 2.7.2 or later, which should contain authorization checks for slider modification operations. Access the WordPress plugin dashboard, locate 'Image Slider by Ays,' and click 'Update Now' if available. If a patched version is not yet available from the vendor, implement temporary mitigations including disabling REST API access for the plugin via security plugins (e.g., Wordfence), restricting administrative access via Web Application Firewall (WAF) rules to known administrator IP ranges, and limiting direct access to slider AJAX endpoints. Additionally, audit recent modifications to sliders within the WordPress admin panel to detect unauthorized changes made during the vulnerability window. Monitor WordPress security repositories and the plugin's official GitHub or support channels for security patch releases.
More in Image Slider By Ays
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11919