CVE-2016-20074
Description
CSRF in WordPress Lazy Content Slider Plugin ≤3.4 lets attackers trick admins into modifying plugin settings via a crafted form.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in WordPress Lazy Content Slider Plugin ≤3.4 lets attackers trick admins into modifying plugin settings via a crafted form.
Vulnerability
WordPress Lazy Content Slider Plugin version 3.4 (and possibly earlier) contains a cross-site request forgery (CSRF) vulnerability in the lzcs_admin.php page, which is the plugin's settings interface. The admin.php?page=lazy-content-slider%2Flzcs.php endpoint processes POST requests to set configuration parameters such as lzcs_color and lzcs_count. The plugin fails to implement any CSRF token or nonce verification, allowing an attacker to craft a malicious HTML form that, when submitted by an authenticated administrator, performs unauthorized state-changing actions [1][2].
Exploitation
An attacker must trick a logged-in WordPress administrator into visiting a crafted HTML page (or following a link containing an auto-submitting form) while the admin is authenticated. The attacker constructs a form that targets the plugin's settings page (e.g., http://target/wp-admin/admin.php?page=lazy-content-slider%2Flzcs.php) with hidden or preset fields like lzcs_color=dark and lzcs_count=5. When the admin submits the form (either by clicking or via JavaScript auto-submit), the request is processed as if the admin intended the change [2]. No other privileges or network position beyond the ability to deliver the malicious page are required.
Impact
A successful CSRF attack modifies the plugin's configuration parameters (e.g., color scheme and count). This is a low-severity integrity impact that could degrade the appearance or behavior of the slider but does not lead to direct information disclosure, privilege escalation, or remote code execution [1]. The attacker cannot override admin capabilities or install malicious code via this vector because the parameters are limited to presentation and count settings.
Mitigation
The vulnerability has not been patched; version 3.4 is the final release and the plugin appears to be abandoned (last updated in 2015). The vendor did not issue a fixed version. Administrators should remove the plugin if it is not essential, or restrict access to the settings page via role‐based capabilities or a Web Application Firewall rule that blocks requests to /wp-content/plugins/lazy-content-slider/lzcs_admin.php from untrusted sources [1]. No CVE has been listed in the KEV catalog for this CVE as of the publication date.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 3.4+ 1 more
- (no CPE)range: = 3.4
- (no CPE)range: <=3.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF protection (nonce or origin validation) on the plugin settings form allows attackers to forge state-changing POST requests."
Attack vector
An attacker crafts a malicious HTML form that submits a POST request to the WordPress admin settings page of the Lazy Content Slider plugin. The form includes parameters like `lzcs_color` and `lzcs_count` that modify the plugin's configuration. When an authenticated administrator visits the attacker's page, the form auto-submits (or the administrator is tricked into clicking submit), changing the plugin settings without the administrator's consent. This is a classic cross‑site request forgery attack [CWE-352] as demonstrated by the PoC in [ref_id=1].
Affected code
The vulnerable page is `/wp-content/plugins/lazy-content-slider/lzcs_admin.php` in the Lazy Content Slider plugin version 3.4. The plugin's settings page at `admin.php?page=lazy-content-slider%2Flzcs.php` accepts POST parameters such as `lzcs_color` and `lzcs_count` without any CSRF token or origin validation.
What the fix does
The advisory does not provide a patch. To fix this CSRF vulnerability, the plugin should implement a nonce (number used once) check on the settings form: generate a WordPress nonce field with `wp_nonce_field()` in the form and verify it with `check_admin_referer()` or `wp_verify_nonce()` before processing the POST data. Without such a token, any third‑party site can forge requests on behalf of an authenticated administrator.
Preconditions
- inputThe attacker must trick an authenticated WordPress administrator into visiting a page containing the malicious HTML form.
- configThe Lazy Content Slider plugin version 3.4 must be installed and active on the target WordPress site.
- authThe administrator must have the capability to access the plugin's settings page.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.