CVE-2026-7636
Description
The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the map_meta_cap. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract draft slider metadata including unpublished media URLs, captions, and slider configuration authored by administrators or editors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated subscribers can extract draft slider metadata (unpublished media URLs, captions, config) from Soliloquy plugin up to v2.8.1.
Vulnerability
The Slider by Soliloquy – Responsive Image Slider for WordPress plugin is vulnerable to Sensitive Information Exposure in all versions up to and including 2.8.1. The flaw resides in the map_meta_cap function within the Soliloquy_Posttype_Lite class, which improperly handles capability checks for draft slider posts. This allows unauthorized access to metadata of sliders that are not yet published, including unpublished media URLs, captions, and slider configuration authored by administrators or editors [2].
Exploitation
An attacker must be authenticated with at least subscriber-level access to the WordPress site. No additional privileges or user interaction are required. The attacker can exploit the vulnerability by sending crafted requests that leverage the insufficient capability checks in map_meta_cap, thereby retrieving draft slider metadata that should be restricted to higher-privileged users.
Impact
Successful exploitation leads to the exposure of sensitive information: unpublished media URLs (which may reveal private or draft images), captions, and slider configuration details. This information disclosure could aid further attacks or leak confidential content. The attacker does not gain write access or code execution; the impact is limited to confidentiality breach of draft slider data.
Mitigation
The vulnerability is fixed in version 2.8.2 of the plugin, as indicated by the changeset [1]. Users are strongly advised to update to the latest version immediately. No workarounds are available for older versions. The plugin is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
1r3538404Vulnerability mechanics
Root cause
"Missing capability check in the map_meta_cap function allows authenticated users with subscriber-level access to read draft slider metadata belonging to higher-privileged users."
Attack vector
An authenticated attacker with subscriber-level access or above can exploit the missing capability check in the map_meta_cap function [patch_id=1605917]. By crafting a request that references draft sliders authored by administrators or editors, the plugin returns sensitive metadata including unpublished media URLs, captions, and slider configuration. The attack is performed over the network with no special configuration required, and the only precondition is a valid WordPress user account with subscriber-level privileges.
Affected code
The vulnerability resides in the map_meta_cap function within the Soliloquy Slider plugin. This function is responsible for mapping meta capabilities to primitive capabilities, but it lacks a check to verify whether the requesting user has permission to access draft sliders authored by other users. The patch modifies this function to enforce proper capability validation.
What the fix does
The patch [patch_id=1605917] adds a proper capability check within the map_meta_cap function to ensure that only users with sufficient permissions (e.g., edit_posts or edit_others_posts) can access draft slider metadata. Previously, the function did not validate whether the requesting user had the right to view sliders authored by other users. By enforcing the correct capability mapping, the patch prevents subscriber-level attackers from extracting unpublished media URLs, captions, and configuration data belonging to administrators or editors.
Preconditions
- authAttacker must have a valid WordPress user account with at least subscriber-level access.
- networkAttacker must be able to send HTTP requests to the WordPress site.
Generated on May 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.phpnvd
- plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.phpnvd
- plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.phpnvd
- plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.phpnvd
- plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.phpnvd
- plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.phpnvd
- plugins.trac.wordpress.org/changeset/3538404/soliloquy-lite/trunk/includes/global/posttype.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/54115a9a-dadd-4f18-a139-02ec89f0a571nvd
News mentions
0No linked articles in our index yet.