CVE-2025-54734

The B Slider plugin for WordPress versions up to and including 1.1.30 suffers from a missing authorization vulnerability. The plugin fails to properly implement access control checks, allowing incorrect configuration of security levels to be exploited. This issue stems from a lack of required capability checks or nonce verification in certain functions, enabling low-privileged or unauthenticated users to perform privileged actions.

The attack surface is significant because the plugin is widely used. An attacker with no prior authentication can exploit this vulnerability by sending crafted HTTP requests to vulnerable endpoints. No special network access or user interaction is required, making it trivial to scale attacks across thousands of sites simultaneously.

Successful exploitation can lead to unauthorized modification of plugin settings, content injection, or other administrative actions normally restricted to higher-privileged users. The impact is increased by the potential for mass exploitation campaigns targeting any WordPress site running the vulnerable version, regardless of its popularity or traffic size [1].

The vendor has released version 2.0.0, which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, applying a virtual patch or mitigation rule (such as those provided by Patchstack) can block exploitation attempts until the update is applied [1].