Home

Description

The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wp_ajax_smart-slider3 controller actions in all versions up to, and including, 3.5.1.33. The display_admin_ajax() method does not call checkForCap() (which requires unfiltered_html capability), and several controller actions only validate the nonce (validateToken()) without calling validatePermission(). This makes it possible for authenticated attackers, with Contributor-level access and above, to enumerate slider metadata and create, modify, and delete image storage records by obtaining the nextend_nonce exposed on post editor pages.

PUBLISHED Reserved 2026-03-12 | Published 2026-04-07 | Updated 2026-04-08 | Assigner Wordfence




MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

Any version
affected

Timeline

2026-03-12:Vendor Notified
2026-04-07:Disclosed

Credits

darkestmode finder

References

www.wordfence.com/...-b7e0-419a-bfc3-528bcddb1ac2?source=cve

plugins.trac.wordpress.org/...ordPress/Admin/AdminHelper.php

plugins.trac.wordpress.org/...ordPress/Admin/AdminHelper.php

plugins.trac.wordpress.org/...ders/ControllerAjaxSliders.php

plugins.trac.wordpress.org/.../Image/ControllerAjaxImage.php

plugins.trac.wordpress.org/...rm/WordPress/HelperTinyMCE.php

plugins.trac.wordpress.org/...%2Ftrunk&sfp_email=&sfph_mail=

cve.org (CVE-2026-4065)

nvd.nist.gov (CVE-2026-4065)

Download JSON