MEDIUM 4.9

CVE-2026-9197: Smart Slider 3 Directory Traversal Vulnerability – File Read Risk

Smart Slider 3, a popular WordPress plugin, contains a directory traversal vulnerability affecting all versions up to 3.5.1.36. An authenticated WordPress administrator can exploit the replaceHTMLImage function to read sensitive files from the server, including configuration files, database credentials, and other confidential data. The attack requires administrator-level privileges and direct knowledge of the server's file paths, but poses a meaningful risk in environments where admin access is delegated or compromised.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.9 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-22
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

The Smart Slider 3 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.5.1.36 via the replaceHTMLImage function. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9197 is a path traversal vulnerability (CWE-22) in the Smart Slider 3 WordPress plugin's replaceHTMLImage function. The vulnerability allows an authenticated administrator to construct requests with directory traversal sequences (e.g., ../) to escape intended directory boundaries and read arbitrary files on the underlying server. The CVSS 3.1 score of 4.9 (MEDIUM severity) reflects high confidentiality impact but low attack complexity—no network-level authentication bypass is required, though privilege escalation or admin account compromise is a prerequisite. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog as of the latest update.

Business impact

The exposure of sensitive files—such as wp-config.php, database backup files, environment configuration files, or SSH keys—could enable lateral movement, database compromise, or full environment disclosure. For WordPress sites where multiple users hold administrator privileges (common in agencies and large organizations), the risk surface is wider. Exploitation does not require user interaction and can be executed programmatically once an attacker has admin access, making it a high-priority follow-up after any admin account compromise or during post-breach forensics.

Affected systems

Smart Slider 3 plugin for WordPress in all versions up to and including 3.5.1.36. The plugin is used for creating responsive image sliders and galleries. Organizations using this plugin should verify their installed version against vendor advisories and patch management records. The vulnerability is not limited to a specific WordPress deployment model—it affects self-hosted, managed, and cloud-based WordPress installations equally.

Exploitability

Exploitation requires an authenticated account with administrator-level access to the WordPress site. No authentication bypass, zero-click attack vector, or public exploit code is known. An attacker must either have legitimate admin credentials, have compromised an admin account, or be operating in an environment where admin access was provisioned to an untrusted party. Once authenticated, the attack is straightforward: crafting a request to the vulnerable function with traversal sequences. The barrier to exploitation is moderate—privilege elevation is the primary constraint.

Remediation

Update the Smart Slider 3 plugin to a patched version released by the vendor after 3.5.1.36. Verify the specific patch version against the official Smart Slider 3 plugin repository or vendor advisory. As an interim measure, restrict WordPress administrator role assignment to trusted personnel only, disable plugin functionality if not actively used, or use Web Application Firewall rules to block requests containing path traversal patterns (../) to plugin endpoints. Regular auditing of admin account activity and file access logs is recommended.

Patch guidance

Check the Smart Slider 3 plugin repository and the vendor's official security advisory for the patched version number. Install the update via WordPress admin dashboard (Plugins > Updates) or via wp-cli. Verify successful patching by confirming the plugin version in the dashboard and testing plugin functionality post-update. Do not rely on automated updates if manual review is required; test in a staging environment first. If patches are not yet available, consider disabling the plugin until a fix is released.

Detection guidance

Monitor WordPress error logs and Web Application Firewall logs for requests to the replaceHTMLImage endpoint containing directory traversal sequences (.., ../, ..\). Audit WordPress admin user activity logs to identify any unusual file read operations or plugin function calls. Check server access logs for patterns indicating reconnaissance of sensitive files (wp-config.php, .env, /etc/passwd simulation attempts). Review file integrity monitoring alerts on sensitive configuration files. Correlate timing of admin account creation, privilege escalation, or password changes with exploitation attempts.

Why prioritize this

Although the CVSS score is MEDIUM (4.9), prioritization should be elevated if: (1) the WordPress site is internet-facing and accessible to untrusted users, (2) multiple administrators manage the site, (3) the site stores sensitive customer or business data, (4) the site has had recent security incidents involving credential theft, or (5) the site is part of a critical business process. The vulnerability bridges admin compromise and data exfiltration—a common stepping stone in multi-stage attacks. Patch this within 30 days if the site is in a stable state; expedite to 7–14 days if admin access controls are loose or if recent suspicious admin activity has been detected.

Risk score, explained

The CVSS 3.1 score of 4.9 (MEDIUM) reflects: High Confidentiality Impact (sensitive files exposed), No Integrity or Availability Impact (read-only), High Privileges Required (administrator role), Low Attack Complexity (no special conditions), and Network-based Attack Vector. The score does not account for organizational context such as data sensitivity, multi-admin environments, or historical compromise trends. SEC.co recommends layering this score with your own risk factors: if your organization's WordPress sites store PII, financial data, or proprietary code, treat this as a higher priority.

Frequently asked questions

Do we need to patch this if we have no administrator users other than the owner?

Patching is still recommended, but your immediate risk is lower. However, account compromise, credential stuffing, or social engineering targeting the sole admin remain plausible. Patching removes an avenue for data exfiltration if the owner's account is ever compromised, and is a best practice for any internet-facing plugin.

What files could an attacker read if they exploit this?

An attacker with knowledge of the server's file system structure could read wp-config.php (database credentials), .env files (API keys), database backups, SSH keys, previous access logs, and any file readable by the WordPress process user. The specific files depend on the attacker's knowledge of the site's directory structure and server configuration.

Is there a public exploit for CVE-2026-9197?

As of the latest update, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog, indicating no widespread public exploitation at this time. However, the straightforward nature of path traversal means exploitation code can be developed quickly once disclosure occurs. Do not assume the absence of a public exploit means low risk.

Can we mitigate without patching?

Partial mitigation is possible: disable the plugin entirely if not in use, restrict administrator role to a single trusted user, implement a Web Application Firewall rule blocking requests with traversal sequences to the plugin, or use a WordPress security hardening plugin to limit admin API access. These are temporary measures and should not replace patching.

This analysis is based on publicly disclosed vulnerability data as of the modification date (2026-06-17). Patch version numbers and vendor-specific guidance should be verified against the official Smart Slider 3 repository and vendor security advisory. SEC.co does not provide exploit code or weaponized proof-of-concept demonstrations. This vulnerability analysis is for informational purposes and does not constitute legal, compliance, or formal risk assessment advice. Organizations should conduct their own threat modeling and patch management planning. No guarantee of accuracy or completeness is provided for external links or third-party vendor communications. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).