PatchSiren cyber security CVE debrief
CVE-2026-9197 nextendweb CVE debrief
The Smart Slider 3 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.5.1.36 via the replaceHTMLImage function. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
- Vendor
- nextendweb
- Product
- Smart Slider 3
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-06
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-06
- Advisory updated
- 2026-06-08
Who should care
Administrators of WordPress installations using the Smart Slider 3 plugin, especially those with versions up to 3.5.1.36, should be aware of this vulnerability.
Technical summary
The vulnerability is caused by a Directory Traversal issue in the replaceHTMLImage function of the Smart Slider 3 plugin. This allows authenticated attackers with administrator-level access to read arbitrary files on the server.
Defensive priority
MEDIUM
Recommended defensive actions
- Update the Smart Slider 3 plugin to a version beyond 3.5.1.36.
- Restrict access to the plugin's functionality to prevent unauthorized use.
- Monitor server logs for suspicious file access attempts.
Evidence notes
The vulnerability was reported by [email protected] and is documented in various references including CVE.org and NVD.
Official resources
CVE-2026-9197 was published on 2026-06-06T04:17:41.813Z and modified on 2026-06-08T14:57:14.757Z.