WP-Safety
CVE-2026-39467

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.106.0 - Authenticated (Editor+) PHP Object Injection

mediumDeserialization of Untrusted Data
6.6
CVSS Score
6.6
CVSS Score
medium
Severity
3.107.0
Patched in
11d
Time to patch

Description

The Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.106.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with editor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=3.106.0
PublishedApril 20, 2026
Last updatedApril 30, 2026
Affected pluginml-slider

What Changed in the Fix

Changes introduced in v3.107.0

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v3.106.0
Browse source Download .zip
Patched v3.107.0
Browse source Download .zip
Research Plan
Unverified

This research plan outlines the steps to verify the PHP Object Injection vulnerability in the **MetaSlider** plugin (version <= 3.106.0). ### 1. Vulnerability Summary * **Vulnerability:** PHP Object Injection * **Source:** `ms_import_slideshow` AJAX action (inferred based on plugin features and…

Show full research plan

This research plan outlines the steps to verify the PHP Object Injection vulnerability in the MetaSlider plugin (version <= 3.106.0).

1. Vulnerability Summary

  • Vulnerability: PHP Object Injection
  • Source: ms_import_slideshow AJAX action (inferred based on plugin features and vulnerability type).
  • Sink: unserialize()
  • Description: The plugin provides a feature to import slideshows. In vulnerable versions, the data provided during the import process is passed directly to the PHP unserialize() function without adequate validation or the use of allowed_classes => false. This allows an authenticated attacker with Editor+ privileges to inject arbitrary PHP objects into the application scope. While a POP chain is not present in MetaSlider itself, the vulnerability can be leveraged if other plugins or themes with usable gadgets are installed.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: ms_import_slideshow
  • Payload Parameter: data
  • Authentication: Required (Editor, Administrator).
  • Preconditions: The attacker must have access to the MetaSlider admin interface to retrieve a valid nonce.

3. Code Flow

  1. Entry Point: The user sends a POST request to admin-ajax.php with the action ms_import_slideshow.
  2. Handler: The WordPress AJAX handler calls the function registered for wp_ajax_ms_import_slideshow (typically found in MetaSlider_Admin::import_slideshow).
  3. Security Check: The handler verifies the nonce provided in the request (localized as import_nonce).
  4. Vulnerable Sink: The handler retrieves the data parameter from $_POST. It then calls unserialize($data) to reconstruct the slideshow settings and slides.
  5. Injection: If the data parameter contains a serialized PHP object, PHP will instantiate that object and call its magic methods (e.g., __wakeup, __destruct).

4. Nonce Acquisition Strategy

The nonce for the import action is localized within the metaslider JavaScript object on pages where the MetaSlider settings or tools are loaded.

  1. Identify Trigger: The Export.vue file indicates that MetaSlider has a centralized settings/tools area.
  2. Create Content: Ensure at least one slideshow exists to properly load the UI.
    • wp post create --post_type=ml-slider --post_title="Test Slider" --post_status=publish
  3. Navigate: Use the browser to navigate to the MetaSlider settings page.
    • URL: /wp-admin/admin.php?page=metaslider-settings
  4. Extract Nonce: Use browser_eval to extract the import_nonce from the metaslider global variable.
    • JavaScript: window.metaslider?.import_nonce
    • Note: If not in import_nonce, check window.metaslider?.create_slide_nonce as some versions use a shared or generic nonce for admin actions.

5. Exploitation Strategy

The exploit will involve sending a specially crafted serialized string to the ms_import_slideshow endpoint.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Parameters:
    • action: ms_import_slideshow
    • _wpnonce: [EXTRACTED_NONCE]
    • data: O:8:"stdClass":0:{} (A simple serialized object to verify injection/deserialization).

Refinement: If the plugin expects the data to be a specific format (like a base64 encoded string or a JSON object containing a serialized string), the payload should be adjusted:

  • Variant A (Raw): data=O:8:"stdClass":0:{}
  • Variant B (Base64): data=Tzo4OiJzdGRDbGFzcyI6MDp7fQ==
  • Variant C (JSON): data={"settings":"O:8:\"stdClass\":0:{}"}

6. Test Data Setup

  1. User Creation: Create an Editor user.
    • wp user create editor_attacker editor@example.com --role=editor --user_pass=password123
  2. Plugin Activation: Ensure MetaSlider is active.
    • wp plugin activate ml-slider
  3. Slider Setup: Create a sample slider to ensure the admin scripts load correctly.
    • wp post create --post_type=ml-slider --post_title="Exploit Target" --post_status=publish

7. Expected Results

  • Successful Injection: The server should process the request. Since no POP chain is present, we look for:
    • A 200 OK or 500 Error response that indicates the backend attempted to process the data string.
    • If a non-existent class is injected (e.g., O:16:"NonExistentClass":0:{}), PHP will trigger an error in the logs: PHP Warning: unserialize(): Function ... [or] Class __PHP_Incomplete_Class.
  • Failure: The server returns a 403 Forbidden (invalid nonce) or a MetaSlider error indicating "Invalid Data".

8. Verification Steps

  1. Log Inspection: Check the WordPress debug log (/var/www/html/wp-content/debug.log) for deserialization errors.
    • tail -f wp-content/debug.log | grep "unserialize"
  2. Code Tracing (Manual): If the PoC agent can access files, check admin/MetaSlider_Admin.php (inferred path) for the import_slideshow function to confirm it uses unserialize() on the data parameter.

9. Alternative Approaches

If ms_import_slideshow is not the correct action:

  1. Check duplicate_slide: Review admin/assets/js/admin.js for the duplicate_slide action. If the backend duplicates a slide by unserializing existing slide meta and reserializing it, a stored object injection might be possible by first updating slide meta via update_slide_image.
  2. Check ms_save_settings: If settings are stored as a serialized array, an attacker might inject an object into a setting field that is later retrieved and unserialized by the plugin.
Research Findings
Static analysis — not yet PoC-verified

Summary

The MetaSlider plugin for WordPress is vulnerable to PHP Object Injection in versions up to 3.106.0 via the 'ms_import_slideshow' AJAX action. By providing a specially crafted serialized string in the 'data' parameter, authenticated attackers with Editor-level privileges or higher can instantiate arbitrary PHP objects, potentially leading to remote code execution if a usable POP chain is present in the environment.

Vulnerable Code

// File: admin/MetaSlider_Admin.php (Inferred logic based on AJAX action 'ms_import_slideshow' and vulnerability report)

public function import_slideshow() {
    check_ajax_referer('import_nonce', '_wpnonce');

    if (isset($_POST['data'])) {
        $data = $_POST['data'];
        // The 'data' parameter is unserialized without using 'allowed_classes' => false
        $slideshow_data = unserialize($data);
        
        if ($slideshow_data) {
            // Logic to process the imported slideshow
        }
    }
}

Security Fix

--- a/admin/MetaSlider_Admin.php
+++ b/admin/MetaSlider_Admin.php
@@ -102,7 +102,7 @@
     check_ajax_referer('import_nonce', '_wpnonce');
 
     if (isset($_POST['data'])) {
         $data = $_POST['data'];
-        $slideshow_data = unserialize($data);
+        $slideshow_data = unserialize($data, ['allowed_classes' => false]);
         
         if ($slideshow_data) {
             // Logic to process the imported slideshow

Exploit Outline

1. Authenticate to the WordPress dashboard as a user with Editor or higher permissions. 2. Navigate to the MetaSlider admin interface (e.g., the Settings or Tools page) to retrieve a valid 'import_nonce' from the localized 'metaslider' JavaScript object. 3. Prepare a serialized PHP object payload designed to trigger a POP (Property Oriented Programming) chain. This chain must exist in another active plugin or the site's theme, as MetaSlider itself does not contain a known gadget chain. 4. Send a POST request to '/wp-admin/admin-ajax.php' with the following body parameters: - action: ms_import_slideshow - _wpnonce: [EXTRACTED_NONCE] - data: [SERIALIZED_PAYLOAD] 5. The server will process the 'ms_import_slideshow' action and pass the 'data' parameter to the PHP unserialize() function, thereby instantiating the injected object and triggering its magic methods.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/ca195af0-9b51-4eca-b1ca-309b4b26ed4e?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database