CVE-2026-57649

Subscriber Broken Access Control in Shoppable Images Lite = 1.3 versions...

CVE-2026-57649

The CVE concerns the WordPress Shoppable Images Lite plugin (versions

EUVD-2026-39764

Subscriber Broken Access Control in Shoppable Images Lite = 1.3 versions...

WordPress Shoppable Images Lite plugin <= 1.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin Shoppable Images Lite versions = 1.3...

Shoppable Images Lite < 1.2.4 - Arbitrary Post Deletion via CSRF

The plugin does not have CSRF checks in some places, for example when deleting/updating images. Furthermore, it does not ensure that the image to be deleted are actually images, which could allow attackers to make logged in admins delete arbitrary posts via a CSRF attack...

WordPress Shoppable Images Lite Plugin <= 1.2.3 is vulnerable to Cross Site Request Forgery (CSRF)

Software Shoppable Images Lite Type Plugin Vulnerable versions = 1.2.3 Fixed in 1.2.4 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-25698 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID d071aa365d52 Credits Rio Darmawan...

WordPress Shoppable Images Lite plugin <=1.0.0 - Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerabilities

WordPress Shoppable Images Lite plugin Cross-Site Request Forgery CSRF/PHP Object Injection Vulnerabilities were found in the showadminnotices function. The value of $GET nonce variable is unserialized, which allows PHP object injection. Solution Update the plugin...