CVE-2025-8418: 
WordPress vulnerability analysis and mitigation

The B Slider- Gutenberg Slider Block for WP plugin for WordPress contains a vulnerability (CVE-2025-8418) related to Arbitrary Plugin Installation, affecting all versions up to and including 1.1.30. The vulnerability was discovered and reported by Wordfence, with the initial disclosure on August 12, 2025 (NVD).

The vulnerability stems from missing capability checks on the activated_plugin function in the plugin's adminMenu.php file. This security flaw has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness is classified as CWE-862 (Missing Authorization) (NVD, Wordfence).

The vulnerability allows authenticated attackers with subscriber-level access or higher to install arbitrary plugins on the server. This capability can potentially lead to remote code execution, significantly compromising the security of the affected WordPress installations (NVD).

A fix has been implemented in version 2.0.0 released on August 9, 2025, which adds proper authorization checks requiring the 'activate_plugins' capability before allowing plugin installation (WordPress Changeset). Users are strongly advised to update to this version or later.