Threat Entry Updated 2026-04-08

CVE-2026-4065 - Smart Slider 3 Plugin

The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wp_ajax_smart-slider3 controller actions in all versions up to, and including, 3.5.1.33. The display_admin_ajax() method does not call checkForCap() (which requires unfiltered_html capability), and several controller actions only validate the nonce (validateToken()) without calling validatePermission(). This makes it possible for authenticated attackers, with Contributor-level access and above, to enumerate slider metadata and create, modify, and delete image storage records by obtaining the nextend_nonce exposed on post editor pages.

PLUGIN Smart Slider 3

CVE-2026-4065

MEDIUM CVSS 5.4 2026-04-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-08

CVE-2026-3098 - Smart Slider 3 Plugin

The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the 'actionExportAll' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Smart Slider 3

CVE-2026-3098

MEDIUM CVSS 6.5 2026-03-27

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-07-31

CVE-2025-6348 - Smart Slider 3 Plugin

The Smart Slider 3 plugin for WordPress is vulnerable to time-based SQL Injection via the ‘sliderid’ parameter in all versions up to, and including, 3.5.1.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Smart Slider 3

CVE-2025-6348

MEDIUM CVSS 4.9 2025-07-30

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-3027 - Smart Slider 3 Plugin

The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the upload function in all versions up to, and including, 3.5.1.22. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files, including SVG files, which can be used to conduct stored cross-site scripting attacks.

PLUGIN Smart Slider 3

CVE-2024-3027

MEDIUM CVSS 6.4 2024-04-13

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-02-19

CVE-2023-0660 - Smart Slider 3 Plugin

The Smart Slider 3 WordPress plugin before 3.5.1.14 does not properly validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Smart Slider 3

CVE-2023-0660

MEDIUM CVSS 5.4 2023-03-27

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-06

CVE-2022-3357 - Smart Slider 3 Plugin

The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site.

PLUGIN Smart Slider 3

CVE-2022-3357

HIGH CVSS 8.8 2022-10-31

Risk Score

Open Full Technical Breakdown