PT-2026-57857 · WordPress · Smart Slider 3
Yuvraj Tomar
·
Published
2026-07-13
·
Updated
2026-07-13
·
CVE-2026-12385
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Smart Slider 3 versions prior to 3.5.1.38
Description
Authenticated attackers with contributor-level access and above can cause sensitive information exposure. By manipulating the
keyword parameter, an attacker can extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts authored by any user, including Administrators and Editors. The necessary nonce is available on the '/wp-admin/post-new.php' endpoint, which is accessible to users with the edit posts capability.Recommendations
Update the plugin to a version newer than 3.5.1.37.
Avoid using the
keyword parameter in the affected plugin until the update is applied.Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Smart Slider 3