Cross-Site Request Forgery Vulnerability in Image Slider Plugin by Ays
CVE-2025-14454

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Image Slider By Ays- Responsive Slider And Carousel
Vendor: CVE Published:; 13 December 2025

What is CVE-2025-14454?

The Image Slider by Ays – Responsive Slider and Carousel plugin for WordPress contains a Cross-Site Request Forgery vulnerability due to inadequate nonce validation in the bulk delete functionality. This flaw allows unauthenticated attackers to exploit the plugin by sending forged requests to delete any arbitrary sliders. The attack requires an administrator to be tricked into clicking a malicious link, which could lead to unauthorized deletion of content. As a result, site owners should consider applying security measures to mitigate this vulnerability.

Affected Version(s)

Image Slider by Ays- Responsive Slider and Carousel * <= 2.7.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ays-slider/tru...

https://plugins.trac.wordpress.org/browser/ays-slider/tag...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2025
Vulnerability Reserved
Dec 10, 2025

Credit

Camilla Flocco

JSON