PatchSiren cyber security CVE debrief
CVE-2026-12385 nextendweb CVE debrief
The Smart Slider 3 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.1.37 via the 'keyword' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts authored by any user, including Administrators and Editors. The vulnerability has a CVSS score of 4.3 and is considered Medium priority. The required nonce is emitted on /wp-admin/post-new.php, which is accessible to Contributor-level users via the edit_posts capability.
- Vendor
- nextendweb
- Product
- Smart Slider 3
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Administrators and users of the Smart Slider 3 plugin for WordPress should be aware of this vulnerability and take immediate action to protect their sites. This includes reviewing the plugin's version, restricting access to the 'keyword' parameter, and monitoring for suspicious activity. Affected operators and platforms should prioritize patching and vulnerability management.
Technical summary
The Smart Slider 3 plugin for WordPress is vulnerable to Sensitive Information Exposure. The vulnerability exists in all versions up to, and including, 3.5.1.37 and is caused by the 'keyword' parameter. An authenticated attacker with contributor-level access and above can exploit this vulnerability to extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts authored by any user, including Administrators and Editors. The vulnerability has a CVSS score of 4.3 and is considered Medium priority.
Defensive priority
Medium priority due to the CVSS score of 4.3 and the potential for sensitive information exposure.
Recommended defensive actions
- Update the Smart Slider 3 plugin to a version that is not vulnerable
- Restrict access to the 'keyword' parameter
- Monitor for suspicious activity
- Implement additional security measures to protect sensitive information
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-13T20:16:42.387Z and was last modified on 2026-07-13T20:21:44.960Z. The NVD entry is currently Deferred. The Smart Slider 3 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.1.37 via the 'keyword' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts authored by any user, including Administrators and Editors. The required nonce is emitted on /wp-admin/post-new.php, which is accessible to Contributor-level users via the edit_posts capability, meaning any Contributor can obtain the nonce needed to trigger the injection. Evidence limits suggest verifying the vulnerability with limited information.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T20:16:42.387Z and has not been modified since then. The NVD entry is currently Deferred.