Sensitive Information Exposure in Smart Slider 3 Plugin for WordPress
CVE-2026-12385
4.3MEDIUM
What is CVE-2026-12385?
The Smart Slider 3 plugin for WordPress permits authenticated users with contributor-level access and higher to exploit a vulnerability that allows them to extract sensitive data. Specifically, the 'keyword' parameter can be used to access the titles and full content of private, draft, pending, trashed, and auto-draft posts authored by any user, including those with Administrator and Editor roles. This vulnerability stems from the availability of a required nonce on /wp-admin/post-new.php, accessible to contributors via the edit_posts capability, facilitating unauthorized data retrieval.
Affected Version(s)
Smart Slider 3 0 <= 3.5.1.37