Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Smart Slider 3 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.5.1.36 via the replaceHTMLImage function. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
AnalysisAI
Directory traversal in the Smart Slider 3 WordPress plugin (all versions ≤ 3.5.1.36) exposes arbitrary server-side files to authenticated administrators via the replaceHTMLImage function in the plugin's slider export/backup subsystem. An attacker with administrator-level WordPress access can craft a request that traverses outside the intended directory and return the raw contents of sensitive files such as wp-config.php. No public exploit or CISA KEV listing exists at time of analysis, and the high privilege requirement (CVSS PR:H) substantially limits the realistic attack surface to insider threats, compromised admin accounts, or privilege-escalation chains.
Technical ContextAI
The vulnerability resides in the replaceHTMLImage function, called from ExportSlider.php (lines 312 and 404) and routed through ControllerSlider.php (line 261) - all part of the plugin's backup and export subsystem under the Nextend\SmartSlider3\BackupSlider namespace. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal) identifies the root cause as insufficient sanitization of user-supplied file path input, allowing canonical path escape sequences (e.g., '../') to resolve files outside the plugin's intended working directory. The affected product is confirmed by CPE cpe:2.3:a:nextendweb:smart_slider_3:*:*:*:*:*:*:*:* (Nextend Web's Smart Slider 3 for WordPress). Because the vulnerability is in export/backup functionality typically accessed via the WordPress admin panel, the attack surface is inherently scoped to authenticated admin sessions.
RemediationAI
A fix has been committed to the WordPress plugin repository as confirmed by the changeset reference at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3552076%40smart-slider-3&new=3552076%40smart-slider-3; however, the exact patched release version number is not independently confirmed from the available data - the patch version should be verified against the Smart Slider 3 changelog on wordpress.org/plugins before deploying. Update Smart Slider 3 to the latest available version via the WordPress admin dashboard (Plugins > Updates) or via WP-CLI ('wp plugin update smart-slider-3'). As a compensating control until patching is complete, enforce multi-factor authentication on all WordPress administrator accounts and restrict admin panel access by IP allowlist where feasible; note that IP restrictions may affect legitimate remote administration workflows. Audit WordPress admin accounts for unauthorized additions, as the attack requires admin-level credentials.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34944
GHSA-9vww-62gg-qrcp