Code Injection in Smart Slider 3

#VU69771 Code Injection in Smart Slider 3

Published: 2022-12-01

Vulnerability identifier: #VU69771

Vulnerability risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-45845

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Smart Slider 3
Web applications / Modules and components for CMS

Vendor: Nextend

Description

The vulnerability allows a remote user to inject and execute arbitrary PHP code.

The vulnerability exists due to improper input validation. A remote user can send a specially crafted HTTP request and execute arbitrary PHP code on the server.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Smart Slider 3: 3.5.1.0 - 3.5.1.9

External links
http://patchstack.com/database/vulnerability/smart-slider-3/wordpress-smart-slider-3-plugin-3-5-1-9-auth-php-object-injection-vulnerability

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

PHP code execution in WordPress Smart Slider 3 plugin