CVE-2026-0684 is a medium-severity authorization bypass vulnerability identified in the CP Image Store with Slideshow plugin for WordPress, affecting all versions up to and including 1.1.9. The root cause is a logic error in the 'cpis_admin_init' function, which incorrectly verifies user permissions before allowing product import operations. Specifically, authenticated users with Contributor-level privileges or higher can exploit this flaw to import arbitrary products via XML files that have already been uploaded to the server. This bypasses intended authorization controls, enabling unauthorized modification of product data within the plugin. The vulnerability does not require user interaction and can be exploited remotely with low attack complexity. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) reflects that the attack requires some privileges but no user interaction, impacts integrity but not confidentiality or availability, and affects network-exposed components. Although no public exploits are known at this time, the vulnerability poses a risk to the integrity of e-commerce content managed through this plugin. The plugin is used primarily in WordPress environments, which are widely deployed globally, especially in small to medium-sized businesses and e-commerce sites. The lack of a patch link suggests that users must monitor vendor updates or apply manual mitigations. The CWE-863 classification highlights the incorrect authorization logic as the core issue.

The primary impact of CVE-2026-0684 is the unauthorized modification of product data within WordPress sites using the CP Image Store with Slideshow plugin. Attackers with Contributor-level access can import arbitrary products, potentially leading to fraudulent listings, misinformation, or manipulation of e-commerce catalogs. While confidentiality and availability are not directly affected, the integrity compromise can damage business reputation, cause financial loss, and undermine customer trust. Organizations relying on this plugin for product management are at risk of unauthorized content injection or alteration, which could be leveraged for further attacks such as phishing or malware distribution if malicious products are introduced. The vulnerability's exploitation requires authenticated access but no user interaction, making insider threats or compromised contributor accounts particularly dangerous. Given WordPress's widespread use, the scope of affected systems is significant, especially among small and medium enterprises that may not have rigorous access controls or monitoring. The absence of known exploits in the wild currently limits immediate widespread impact but does not diminish the need for prompt remediation.

To mitigate CVE-2026-0684, organizations should first verify if they are using the CP Image Store with Slideshow plugin version 1.1.9 or earlier and plan to upgrade to a patched version once available. Until an official patch is released, administrators should restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of exploitation. Implement strict access controls and monitor user activities related to product imports and XML file uploads. Disable or remove the plugin if it is not essential to reduce the attack surface. Additionally, consider implementing web application firewalls (WAFs) with custom rules to detect and block unauthorized XML import attempts. Regularly audit uploaded files on the server to detect suspicious XML files that could be used in exploitation. Employ logging and alerting mechanisms to identify unusual import activities promptly. Educate contributors about the risks of privilege misuse and enforce strong authentication mechanisms to prevent account compromise. Finally, stay informed about vendor updates and apply patches immediately upon release.