What is CVE-2026-0684?

CVE-2026-0684 is a medium severity vulnerability in the CP Image Store with Slideshow plugin for WordPress. It allows authenticated users with Contributor-level access and above to bypass authorization checks and import arbitrary products via XML.

How does the vulnerability work?

The vulnerability arises from a logic error in the permission checks within the ‘cpis_admin_init’ function. The flawed condition allows users without sufficient privileges to perform product imports if they have uploaded a malicious XML file.

Who is affected by this vulnerability?

All users of the CP Image Store with Slideshow plugin versions up to and including 1.1.9 are affected. Any authenticated user with Contributor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the CP Image Store plugin you are using. If it is version 1.1.9 or earlier, your site is susceptible to this vulnerability.

How can I fix this vulnerability?

The vulnerability is patched in version 1.2.0 of the CP Image Store plugin. Updating to this version will resolve the authorization bypass issue.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity vulnerability. This means there is a moderate risk of exploitation, which could lead to unauthorized actions on your site.

What practical risks does this vulnerability pose?

Successful exploitation allows attackers to import arbitrary product data, potentially leading to unauthorized modifications of the store’s catalog or injection of malicious content.

What is the role of the proof of concept?

The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted POST request to the WordPress admin area, demonstrating the steps needed to perform the unauthorized import.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the CP Image Store plugin until it can be updated. Additionally, review user permissions and limit access for Contributor-level users.

How does the patch address the vulnerability?

The patch in version 1.2.0 corrects the logic error in the permission checks by ensuring that all conditions must be true for the import to proceed, effectively enforcing proper authorization.

Can this vulnerability be exploited without a valid user account?

No, exploitation requires a valid Contributor-level or higher user account. Attackers must first authenticate to the WordPress site before they can exploit this vulnerability.

Are there any other known vulnerabilities in this plugin?

As of now, CVE-2026-0684 is the primary known vulnerability for the CP Image Store with Slideshow plugin. Regularly check for updates and security advisories to stay informed.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-0684: CP Image Store with Slideshow <= 1.1.9 – Missing Authorization to Authenticated (Contributor+) Arbitrary Product Import (cp-image-store)

CVE ID CVE-2026-0684

Plugin cp-image-store

Severity Medium (CVSS 4.3)

CWE 863

Vulnerable Version 1.1.9

Patched Version 1.2.0

Disclosed January 11, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0684:
This vulnerability is an authorization bypass in the CP Image Store with Slideshow WordPress plugin. The flaw allows authenticated users with Contributor-level permissions or higher to import arbitrary products via XML. The vulnerability affects all plugin versions up to and including 1.1.9, with a CVSS score of 4.3.

The root cause is a flawed logic condition within the `cpis_admin_init` function. The vulnerable code is located in the main plugin file, `cp-image-store/cp-image-store.php`, around line 826. The original condition `if ( empty( $_POST[‘cpis_import’] ) || ! ( wp_verify_nonce( … ) || ! current_user_can( ‘manage_options’ ) ) )` contains a critical error in its grouping of boolean operators. The logic incorrectly allows the import to proceed if the user does NOT have the `manage_options` capability, effectively inverting the intended permission check.

Exploitation requires an attacker to have a valid Contributor-level WordPress account. The attacker must first upload a malicious XML product file to the server via legitimate means. They then trigger the import functionality by sending a POST request to the WordPress admin area, likely via `admin-ajax.php` or `admin-post.php`, with the `cpis_import` parameter containing a valid nonce. The nonce verification passes, but the flawed logic bypasses the `current_user_can(‘manage_options’)` check, granting unauthorized import access.

The patch in version 1.2.0 refactors the flawed conditional statement. The corrected code on lines 826-831 separates the three checks with explicit logical AND (`&&`) relationships. The new condition requires all three to be true: the `cpis_import` POST parameter must not be empty, the nonce must verify successfully, AND the user must have the `manage_options` capability. This enforces the intended authorization requirement that only administrators can perform imports.

Successful exploitation allows an attacker with low-level privileges to import arbitrary product data. This could lead to unauthorized modification of the store’s catalog, injection of malicious links or content, or disruption of normal store operations. While the attack requires a pre-uploaded XML file and Contributor access, it represents a clear privilege escalation within the plugin’s administrative functions.

Differential between vulnerable and patched code

Code Diff

--- a/cp-image-store/cp-image-store.php
+++ b/cp-image-store/cp-image-store.php
@@ -3,7 +3,7 @@
 Plugin Name: CP Image Store with Slideshow
 Plugin URI: http://wordpress.dwbooster.com/content-tools/image-store#download
 Description: Image Store is an online store for the sale of image files: images, predefined pictures, clipart, drawings, vector images. For payment processing, Image Store uses PayPal, which is the most widely used payment gateway, safe and easy to use.
-Version: 1.1.9
+Version: 1.2.0
 Author: CodePeople
 Author URI: http://wordpress.dwbooster.com/content-tools/image-store
 Text Domain: cp-image-store
@@ -86,7 +86,7 @@
 $cpis_layout         = array();

 // CONST
-define( 'CPIS_VERSION', '1.1.9' );
+define( 'CPIS_VERSION', '1.2.0' );
 define( 'CPIS_PLUGIN_DIR', dirname( __FILE__ ) );
 define( 'CPIS_PLUGIN_URL', plugins_url( '', __FILE__ ) );
 define( 'CPIS_ADMIN_URL', rtrim( admin_url( get_current_blog_id() ), '/' ) . '/' );
@@ -823,7 +823,11 @@
 				add_filter( 'upload_dir', 'cpis_upload_dir' );

 				try {
-					if ( empty( $_POST['cpis_import'] ) || ! ( wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['cpis_import'] ) ), 'session_id_' . session_id() ) || ! current_user_can( 'manage_options' ) ) ) {
+					if (
+						empty( $_POST['cpis_import'] ) ||
+						! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['cpis_import'] ) ), 'session_id_' . session_id() ) ||
+						! current_user_can( 'manage_options' )
+					) {
 						throw new Exception( __( 'You have not sufficient privileges to import images', 'cp-image-store' ) );
 					}
 					require_once __DIR__ . '/includes/import.php';

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-0684 - CP Image Store with Slideshow <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Product Import
<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'contributor_user';
$password = 'contributor_pass';

// Step 1: Authenticate and obtain cookies and nonce.
// The specific AJAX action for the import and the nonce generation endpoint
// must be identified via plugin code review. This PoC outlines the required structure.

// $ch = curl_init();
// curl_setopt_array($ch, [
//     CURLOPT_URL => $target_url,
//     CURLOPT_POST => true,
//     CURLOPT_POSTFIELDS => [
//         'action' => 'cpis_import_action', // The actual AJAX hook name from the plugin
//         'cpis_import' => 'VALID_NONCE_HERE', // Requires a valid nonce from a page load
//         // Other required parameters for the import, likely referencing an uploaded XML file
//     ],
//     CURLOPT_COOKIEJAR => 'cookies.txt',
//     CURLOPT_RETURNTRANSFER => true,
// ]);
// $response = curl_exec($ch);
// curl_close($ch);
// echo $response;

// Due to the prerequisite of a pre-uploaded XML file and the need to harvest
// a valid nonce from an authenticated session, a fully automated PoC is complex.
// The exploit chain involves:
// 1. Authenticating as a Contributor.
// 2. Loading an admin page to obtain a fresh nonce for the 'cpis_import' action.
// 3. Possibly uploading an XML file via another allowed function.
// 4. Sending the final POST request with the nonce to trigger the import.
// The core vulnerability is the bypass of the current_user_can('manage_options') check.

?>

Frequently Asked Questions

What is CVE-2026-0684?
Overview of the vulnerability
CVE-2026-0684 is a medium severity vulnerability in the CP Image Store with Slideshow plugin for WordPress. It allows authenticated users with Contributor-level access and above to bypass authorization checks and import arbitrary products via XML.
How does the vulnerability work?
Mechanics of the exploitation
The vulnerability arises from a logic error in the permission checks within the ‘cpis_admin_init’ function. The flawed condition allows users without sufficient privileges to perform product imports if they have uploaded a malicious XML file.
Who is affected by this vulnerability?
Identifying vulnerable users and versions
All users of the CP Image Store with Slideshow plugin versions up to and including 1.1.9 are affected. Any authenticated user with Contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify the version of the CP Image Store plugin you are using. If it is version 1.1.9 or earlier, your site is susceptible to this vulnerability.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 1.2.0 of the CP Image Store plugin. Updating to this version will resolve the authorization bypass issue.
What does the CVSS score of 4.3 indicate?
Understanding risk levels
A CVSS score of 4.3 indicates a medium severity vulnerability. This means there is a moderate risk of exploitation, which could lead to unauthorized actions on your site.
What practical risks does this vulnerability pose?
Potential impacts of exploitation
Successful exploitation allows attackers to import arbitrary product data, potentially leading to unauthorized modifications of the store’s catalog or injection of malicious content.
What is the role of the proof of concept?
Demonstrating the vulnerability
The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted POST request to the WordPress admin area, demonstrating the steps needed to perform the unauthorized import.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the CP Image Store plugin until it can be updated. Additionally, review user permissions and limit access for Contributor-level users.
How does the patch address the vulnerability?
Details of the fix
The patch in version 1.2.0 corrects the logic error in the permission checks by ensuring that all conditions must be true for the import to proceed, effectively enforcing proper authorization.
Can this vulnerability be exploited without a valid user account?
Access requirements for exploitation
No, exploitation requires a valid Contributor-level or higher user account. Attackers must first authenticate to the WordPress site before they can exploit this vulnerability.
Are there any other known vulnerabilities in this plugin?
Assessing overall security
As of now, CVE-2026-0684 is the primary known vulnerability for the CP Image Store with Slideshow plugin. Regularly check for updates and security advisories to stay informed.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations