WordPress Plugin Vulnerabilities

B Slider- Gutenberg Slider Block for WP < 2.0.0 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Plugin Installation

Description

The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the server which can make remote code execution possible.

Affects Plugins

Plugin icon
b-slider
Fixed in 2.0.0

References

CVE
CVE-2025-8418
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/deffd646-5117-4086-bf4b-8a17ffdaad8b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
9c183cd3-e661-45ab-948e-cd2b75142d2a

Timeline

Publicly Published
2025-08-11 (about 9 months ago)
Added
2025-08-11 (about 9 months ago)
Last Updated
2025-08-12 (about 9 months ago)

Other

Published
Title
Published
2025-10-30
Title
Order Export & Order Import for WooCommerce < 2.6.8 - Missing Authorization
Published
2022-08-16
Title
Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Creation to Stored XSS
Published
2025-12-12
Title
Easy Theme Options <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Import
Published
2025-01-24
Title
Advanced Notifications < 1.2.8 - Missing Authorization
Published
2024-12-12
Title
Banner System <= 1.0.0 - Missing Authorization