Vulnerabilities and security researches forsmart-slider-3 smart-slider-3

Jun 07, 2024

CVE, Research URL: CVE-2024-3027
Home page URL: Security reports for Smart Slider 3
Application: Smart Slider 3
Date: Apr 13, 2024
Research Description: The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the upload function in all versions up to, and including, 3.5.1.22. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files, including SVG files, which can be used to conduct stored cross-site scripting attacks.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2021-24382
Home page URL: Security reports for Smart Slider 3
Application: Smart Slider 3
Date: Jun 14, 2021
Research Description: The Smart Slider 3 Free and pro WordPress plugins before 3.5.0.9 did not sanitise the Project Name before outputting it back in the page, leading to a Stored Cross-Site Scripting issue. By default, only administrator users could access the affected functionality, limiting the exploitability of the vulnerability. However, some WordPress admins may allow lesser privileged users to access the plugin's functionality, in which case, privilege escalation could be performed.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-3357
Home page URL: Security reports for Smart Slider 3
Application: Smart Slider 3
Date: Oct 31, 2022
Research Description: The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-45845
Home page URL: Security reports for Smart Slider 3
Application: Smart Slider 3
Date: Jan 19, 2024
Research Description: Deserialization of Untrusted Data vulnerability in Nextend Smart Slider 3.This issue affects Smart Slider 3: from n/a through 3.5.1.9.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-45843
Home page URL: Security reports for Smart Slider 3
Application: Smart Slider 3
Date: Mar 23, 2023
Research Description: Auth. (contributor+) Stored Cross-Site Scripting vulnerability in Nextend Smart Slider 3 plugin <= 3.5.1.9 versions.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-0660
Home page URL: Security reports for Smart Slider 3
Application: Smart Slider 3
Date: Mar 27, 2023
Research Description: The Smart Slider 3 WordPress plugin before 3.5.1.14 does not properly validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Affected versions: Min -, max -.
Status: vulnerable

Aug 02, 2025

CVE, Research URL: CVE-2025-6348
Home page URL: Security reports for Smart Slider 3
Application: Smart Slider 3
Date: Jul 30, 2025
Research Description: The Smart Slider 3 plugin for WordPress is vulnerable to time-based SQL Injection via the ‘sliderid’ parameter in all versions up to, and including, 3.5.1.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: Min -, max -.
Status: vulnerable