CVE-2016-20074 | WordPress Lazy Content Slider Plugin 3.4 contains a cross-si… | CVSS 4.3 MEDIUM

Description

WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into submitting POST requests to the plugin settings page via lzcs_admin.php to modify plugin configuration parameters like lzcs_color and lzcs_count.

Metadata

CVE ID: CVE-2016-20074
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-15 11:41 UTC
Published: 2026-06-15 12:00 UTC
Last updated: 2026-06-15 16:34 UTC
Primary CWE: CWE-352
Cross-Site Request Forgery (CSRF)
Vendor / Product: leethompson / Lazy Content Slider Plugin
Sources: cve.org · NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
leethompson	Lazy Content Slider Plugin	—	3.4

Weakness (CWE)

CWE	Source	Description
CWE-352	cna	Cross-Site Request Forgery (CSRF)

CVSS scores (2)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
4.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (2)

ExploitDB-40070 https://www.exploit-db.com/exploits/40070
VulnCheck Advisory: WordPress Lazy Content Slider Plugin 3.4 CSRF https://www.vulncheck.com/advisories/wordpress-lazy-content-slider-plugin-csrf