Skip to main content

Smart Slider 3

4 CVEs product

Monthly

CVE-2026-12385 MEDIUM This Month

Sensitive information exposure in the Smart Slider 3 WordPress plugin (all versions up to and including 3.5.1.37) allows authenticated Contributor-level users to extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts belonging to any user on the site - including Administrators and Editors - via the unsecured 'keyword' Ajax parameter. The attack barrier is further lowered because the required nonce is automatically emitted on /wp-admin/post-new.php, a page accessible to any Contributor by default through the edit_posts capability, making nonce acquisition trivial. No public exploit code and no confirmed active exploitation (CISA KEV) have been identified at time of analysis.

PHP Information Disclosure WordPress Smart Slider 3
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2022-45845 MEDIUM This Month

Deserialization of Untrusted Data vulnerability in Nextend Smart Slider 3.5.1.9. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Smart Slider 3
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2023-0660 MEDIUM POC This Month

The Smart Slider 3 WordPress plugin before 3.5.1.14 does not properly validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Smart Slider 3
NVD WPScan
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-3357 HIGH POC This Week

The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Smart Slider 3
NVD WPScan
CVSS 3.1
8.8
EPSS
1.9%
EPSS 0% CVSS 4.3
MEDIUM This Month

Sensitive information exposure in the Smart Slider 3 WordPress plugin (all versions up to and including 3.5.1.37) allows authenticated Contributor-level users to extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts belonging to any user on the site - including Administrators and Editors - via the unsecured 'keyword' Ajax parameter. The attack barrier is further lowered because the required nonce is automatically emitted on /wp-admin/post-new.php, a page accessible to any Contributor by default through the edit_posts capability, making nonce acquisition trivial. No public exploit code and no confirmed active exploitation (CISA KEV) have been identified at time of analysis.

PHP Information Disclosure WordPress +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Deserialization of Untrusted Data vulnerability in Nextend Smart Slider 3.5.1.9. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Smart Slider 3
NVD
EPSS 0% CVSS 5.4
MEDIUM POC This Month

The Smart Slider 3 WordPress plugin before 3.5.1.14 does not properly validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Smart Slider 3
NVD WPScan
EPSS 2% CVSS 8.8
HIGH POC This Week

The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP +1
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy