PT-2026-57857 · WordPress · Smart Slider 3

Yuvraj Tomar

·

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-12385

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions Smart Slider 3 versions prior to 3.5.1.38
Description Authenticated attackers with contributor-level access and above can cause sensitive information exposure. By manipulating the keyword parameter, an attacker can extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts authored by any user, including Administrators and Editors. The necessary nonce is available on the '/wp-admin/post-new.php' endpoint, which is accessible to users with the edit posts capability.
Recommendations Update the plugin to a version newer than 3.5.1.37. Avoid using the keyword parameter in the affected plugin until the update is applied.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-12385

Affected Products

Smart Slider 3