Platform
wordpress
Component
ays-slider
Opgelost in
2.7.1
CVE-2025-14454 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Image Slider by Ays WordPress plugin. This flaw allows unauthenticated attackers to potentially delete arbitrary sliders if they can trick a site administrator into performing a malicious action. The vulnerability affects versions from 0.0.0 through 2.7.0, and a patch has been released in version 2.7.1.
The primary impact of this vulnerability is the unauthorized deletion of WordPress sliders. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by an administrator, would trigger the deletion of sliders. This could disrupt website functionality, remove important content, and potentially cause reputational damage. While the vulnerability requires administrator interaction, the ease of crafting CSRF attacks makes it a significant risk, especially for sites with a large number of administrators or those that frequently share links.
This vulnerability was publicly disclosed on 2025-12-13. No public proof-of-concept (PoC) code has been released at the time of writing, but the relatively simple nature of CSRF exploitation suggests that a PoC could emerge quickly. It is not currently listed on the CISA KEV catalog. The EPSS score is likely to be medium, reflecting the ease of exploitation and potential impact.
WordPress websites utilizing the Image Slider by Ays plugin, particularly those with multiple administrators or those that frequently share links containing administrative actions. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as an attacker could potentially exploit the vulnerability on one site to impact others.
• wordpress / composer / npm:
grep -r 'ays-responsive-slider-and-carousel/includes/functions.php' /var/www/html/• wordpress / composer / npm:
wp plugin list | grep 'Image Slider by Ays'• wordpress / composer / npm:
wp plugin update --all• generic web: Check WordPress admin activity logs for suspicious slider deletion events. • generic web: Monitor access logs for requests containing suspicious parameters related to slider deletion.
disclosure
Exploit Status
EPSS
0.02% (4% percentiel)
CISA SSVC
CVSS-vector
The recommended mitigation is to immediately upgrade the Image Slider by Ays plugin to version 2.7.1 or later. If upgrading is not immediately feasible, consider implementing stricter access controls for slider management functions. Web Application Firewalls (WAFs) can be configured to detect and block suspicious CSRF requests targeting the plugin's bulk delete functionality. Monitor WordPress admin activity logs for unusual slider deletion events. After upgrading, verify the fix by attempting to trigger a slider deletion via a crafted CSRF request and confirming that it is blocked.
Update naar versie 2.7.1, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-14454 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Image Slider by Ays WordPress plugin, allowing unauthorized slider deletion.
You are affected if you are using the Image Slider by Ays plugin in versions 0.0.0 through 2.7.0. Upgrade to 2.7.1 or later to mitigate the risk.
Upgrade the Image Slider by Ays plugin to version 2.7.1 or later. Consider implementing stricter access controls and WAF rules as additional precautions.
No active exploitation has been confirmed at this time, but the ease of CSRF exploitation suggests potential for future attacks.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.