What the vulnerability does
01Description
The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wp_ajax_smart-slider3 controller actions in all versions up to, and including, 3.5.1.33. The display_admin_ajax() method does not call checkForCap() (which requires unfiltered_html capability), and several controller actions only validate the nonce (validateToken()) without calling validatePermission(). This makes it possible for authenticated attackers, with Contributor-level access and above, to enumerate slider metadata and create, modify, and delete image storage records by obtaining the nextend_nonce exposed on post editor pages.
Explanation of Vulnerability in Simple Terms
02Summary
Smart Slider 3 through version 3.5.1.33 does not properly check user permissions before allowing access to certain administrative functions. A logged-in user with low privileges can read and modify slider data they should not have access to. Update to a version newer than 3.5.1.33 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read and modify slider content and settings without proper authorization.
Potential impact on your site
04Site Impact
Unauthorized users can view and alter slider configurations, potentially exposing or modifying site content.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site.
Key dates
06Disclosure timeline
April 7, 2026
CVE published
April 8, 2026
Record updated