CVE-2016-20074: WordPress Lazy Content Slider CSRF Flaw

CVE-2016-20074 Overview

CVE-2016-20074 is a Cross-Site Request Forgery [CWE-352] vulnerability in the WordPress Lazy Content Slider Plugin version 3.4. The plugin's lzcs_admin.php settings handler accepts POST requests without verifying a CSRF token or nonce. An attacker can craft a malicious HTML form and trick an authenticated WordPress administrator into submitting it. The resulting request modifies plugin configuration parameters such as lzcs_color and lzcs_count under the administrator's session.

Critical Impact

Authenticated administrators visiting an attacker-controlled page can have plugin settings modified without consent, enabling unauthorized configuration changes through forged POST requests.

Affected Products

• WordPress Lazy Content Slider Plugin version 3.4
• WordPress installations with the Lazy Content Slider Plugin enabled
• Administrator accounts authenticated to a vulnerable WordPress site

Discovery Timeline

• 2026-06-15 - CVE-2016-20074 published to NVD
• 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2016-20074

Vulnerability Analysis

The vulnerability stems from missing anti-CSRF protections in the plugin's administrative settings handler. The lzcs_admin.php endpoint processes POST submissions for plugin configuration without validating a WordPress nonce or verifying the request origin. WordPress provides built-in functions such as wp_nonce_field() and check_admin_referer() for this purpose, but the plugin does not invoke them on its settings update logic.

Because the browser automatically attaches the administrator's authenticated session cookies to cross-origin requests, any forged POST submission executes with administrator privileges. The Exploit-DB entry #40070 demonstrates the issue with a minimal HTML form targeting the settings page.

Root Cause

The root cause is the absence of CSRF token validation on state-changing requests. The plugin's settings handler trusts that any authenticated session submitting POST data to lzcs_admin.php represents legitimate administrator intent. Parameters including lzcs_color and lzcs_count are written directly to the plugin configuration store without verifying that the request originated from the WordPress administration interface.

Attack Vector

An attacker hosts a web page containing a hidden HTML form that auto-submits to the target WordPress site's lzcs_admin.php endpoint. The form includes attacker-chosen values for plugin settings. The attacker delivers the page through phishing, forum posts, or a compromised site. When a logged-in WordPress administrator visits the page, the browser submits the form using the administrator's existing session, and the plugin applies the attacker-supplied configuration values.

The vulnerability mechanism is documented in the Exploit-DB #40070 proof of concept and the VulnCheck WordPress Advisory. No verified code examples are reproduced here.

Detection Methods for CVE-2016-20074

Indicators of Compromise

• POST requests to wp-admin/admin.php or paths referencing lzcs_admin.php with HTTP Referer headers pointing to external domains.
• Unexpected changes to Lazy Content Slider plugin options including lzcs_color and lzcs_count in the WordPress options table.
• Web server access logs showing administrator-authenticated POST submissions originating from sessions that did not visit the plugin's settings page beforehand.

Detection Strategies

• Monitor WordPress audit logs for plugin option changes that occur outside of normal administrative workflows.
• Inspect HTTP Referer and Origin headers on POST requests to plugin administration endpoints and flag mismatches with the site's own domain.
• Correlate browser session activity with configuration changes to identify settings updates that lack a preceding GET request to the plugin settings page.

Monitoring Recommendations

• Enable a WordPress activity logging plugin to record administrator-initiated configuration changes with timestamps and source IPs.
• Forward web server access logs to a centralized analytics platform and alert on POST traffic to plugin admin endpoints with anomalous referers.
• Review the wp_options table periodically for unexpected modifications to lzcs_* keys.

How to Mitigate CVE-2016-20074

Immediate Actions Required

• Deactivate and remove the Lazy Content Slider Plugin version 3.4 if no vendor-supplied patch is available.
• Restrict access to /wp-admin/ paths by IP allowlist or VPN where operationally feasible.
• Require administrators to log out of WordPress when not actively managing the site to reduce CSRF exposure.

Patch Information

No vendor patch is referenced in the available advisories. Site operators should consult the VulnCheck WordPress Advisory for the latest remediation guidance and consider replacing the plugin with an actively maintained alternative.

Workarounds

• Deploy a web application firewall rule that blocks POST requests to plugin administration endpoints lacking a same-origin Referer or Origin header.
• Use a WordPress security plugin that enforces nonce validation or referer checks on administrative POST requests.
• Segment administrator browsing by using a dedicated browser profile that does not visit untrusted sites while authenticated to WordPress.

# Example WAF rule (ModSecurity) blocking off-origin POSTs to the plugin handler
SecRule REQUEST_METHOD "@streq POST" \
  "chain,id:1002016,phase:1,deny,status:403,msg:'CVE-2016-20074 CSRF block'"
  SecRule REQUEST_URI "@contains lzcs_admin.php" "chain"
    SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none"