WordPress Plugin Vulnerabilities

2J SlideShow < 1.3.40 - Authenticated Arbitrary Plugin Deactivation

Description

Lack of authorisation checks in the twoj_slideshow_setup() function registered as an AJAX call could allow authenticated users with low privileges to deactivate arbitrary plugins.

Affects Plugins

Plugin icon
2j-slideshow
Fixed in 1.3.40

References

CVE
CVE-2020-36729
URL
https://blog.nintechnet.com/wordpress-2j-slideshow-plugin-fixed-authenticated-arbitrary-plugin-deactivation-vulnerability/

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269

Miscellaneous

Original Researcher
Jerome Bruandet (nintechnet.com)
Verified
No
WPVDB ID
98d937b6-a149-461d-ab33-2d5af0554cb0

Timeline

Publicly Published
2020-01-20 (about 6 years ago)
Added
2020-01-20 (about 6 years ago)
Last Updated
2023-06-08 (about 2 years ago)

Other

Published
Title
Published
2025-03-18
Title
BoomBox Theme Extensions < 1.8.1 - Subscriber+ Privilege Escalation via Password Reset/Account Takeover in boombox_ajax_reset_password
Published
2024-12-11
Title
CE21 Suite < 2.2.1 - Unauthenticated Privilege Escalation
Published
2022-10-10
Title
Automatic User Roles Switcher < 1.1.2 - Subscriber+ Privilege Escalation
Published
2025-09-23
Title
Goodlayers Core < 2.1.7 - Authenticated (Contributor+) Privilege Escalation
Published
2025-08-19
Title
CubeWP Framework < 1.1.25 - Subscriber+ Privilege Escalation