SecuriTricks - CVE-2016-20074

Description

WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into submitting POST requests to the plugin settings page via lzcs_admin.php to modify plugin configuration parameters like lzcs_color and lzcs_count.

Product(s) Impacted

Vendor	Product	Versions
Wordpress	Lazy Content Slider	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	wordpress	lazy_content_slider	/	/	/	/	/	/	/	/

References

https://www.exploit-db.com/exploits/40070

https://www.vulncheck.com/advisories/wordpress-lazy-content-slider-plugin-csrf

CVSS Score

5.3 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: LOW
Attack Requirements: NONE
Privileges Required: LOW
User Interaction: NONE
Scope:
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: NONE
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: June 15, 2026, 2:16 p.m.
Last Modified: June 15, 2026, 8:50 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2016-20074