What is the CVSS score of CVE-2026-39467?

CVE-2026-39467 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Responsive Slider By Metaslider are affected by CVE-2026-39467?

MetaSlider Responsive Slider plugin versions up to 3.106.0 contain a PHP object injection vulnerability that permits authenticated administrators to execute arbitrary code on WordPress sites.

How to fix or mitigate CVE-2026-39467?

Within 24 hours: Inventory all WordPress installations using MetaSlider and document installed version numbers. Within 7 days: Restrict admin account access through role-based controls, enforce multi-factor authentication on all administrator accounts, and disable plugin if not actively required. Within 30 days: Monitor vendor security advisories for patch release; contact Metaslider support for remediation timeline and consider alternative slider plugins if patch timeline exceeds your risk tolerance.

Responsive Slider By Metaslider CVE-2026-39467

EUVD-2026-24075 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-04-21 Patchstack

GHSA-pccm-93c8-h8qm

Deserialization Responsive Slider By Metaslider

7.2

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.2 HIGH

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 21, 2026 - 10:27 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 21, 2026 - 10:22 vuln.today

cvss_changed

Analysis Generated

Apr 21, 2026 - 09:55 vuln.today

EUVD ID Assigned

Apr 21, 2026 - 09:45 euvd

EUVD-2026-24075

Analysis Generated

Apr 21, 2026 - 09:45 vuln.today

CVE Published

Apr 21, 2026 - 09:35 nvd

HIGH 7.2

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider allows Object Injection.This issue affects Responsive Slider by MetaSlider: from n/a through 3.106.0.

AnalysisAI

PHP object injection in MetaSlider Responsive Slider plugin (WordPress) through version 3.106.0 allows authenticated administrators with high privileges to execute arbitrary code by deserializing untrusted data. The vulnerability requires authenticated high-privilege access (PR:H), limiting exploitation to compromised admin accounts or malicious insiders. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain admin credentials via phishing/credential stuffing

Delivery

Authenticate to WordPress admin panel

Exploit

Access MetaSlider plugin configuration

Execution

Submit crafted serialized PHP object

Persist

Trigger deserialization in vulnerable code

Impact

Execute arbitrary code via POP chain

Access

Obtain admin credentials via phishing/credential stuffing

Delivery

Authenticate to WordPress admin panel

Exploit

Access MetaSlider plugin configuration

Execution

Submit crafted serialized PHP object

Persist

Trigger deserialization in vulnerable code

Impact

Execute arbitrary code via POP chain

Vulnerability AssessmentAI

Exploitation	Requires authenticated access with WordPress administrator (high privilege) role. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS base score of 7.2 (High) reflects significant potential impact (C:H/I:H/A:H) but is tempered by high privilege requirements (PR:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who previously compromised a WordPress administrator account through phishing or password reuse logs into the WordPress admin panel. The attacker navigates to a MetaSlider configuration interface that processes serialized data input. …
Remediation	Update MetaSlider Responsive Slider plugin to version 3.106.1 or later if available (fixed version not explicitly confirmed in provided data-verify with vendor advisory at Patchstack reference URL https://patchstack.com/database/wordpress/plugin/ml-slider/vulnerability/wordpress-responsive-slider-by-metaslider-plugin-3-106-0-php-object-injection-vulnerability). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using MetaSlider and document installed version numbers. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-39467 vulnerability details – vuln.today

Back

Responsive Slider By Metaslider CVE-2026-39467

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code