In November 2022, a critical vulnerability was discovered in the popular Smart Slider 3 WordPress plugin. Identified as CVE-2022-3357, this security flaw could allow an attacker to take full control over a website, just by tricking someone into importing a specially-crafted file. In this post, we’ll walk through what this bug is, how it works, and how someone could exploit it, using real code snippets and easy-to-understand examples.
What is Smart Slider 3?
Smart Slider 3 is a very popular WordPress plugin for creating eye-catching sliders and banners. It’s used by over 900,000 sites, making any vulnerability in this plugin a big deal.
The Problem: Untrusted Data Leads to Dangerous Code Execution
Before version 3.5.1.11, Smart Slider 3 had a dangerous function inside its import feature. When someone imported a project, the plugin ran the following PHP command under the hood:
$data = unserialize( file_get_contents($imported_file) );
The problem? PHP’s unserialize() can be *very* risky when used on user-provided data. If an attacker uploads a malicious file containing specific PHP serialized objects ("gadget chains"), the unserialize function could cause the site to execute attacker-controlled PHP code.
Why is This Bad?
- Object Injection: Attackers could exploit the unserialize() function to run *any* code they want, if the environment has suitable PHP classes (“gadgets”).
- RCE (Remote Code Execution): In the worst case, this could let hackers add backdoors, upload malicious files, or take over the whole website.
Inside the plugin’s import feature, the code looked something like this (simplified)
<?php
if ( isset($_FILES['import_file']) ) {
$file = $_FILES['import_file']['tmp_name'];
// This is risky - import file content is user-controlled
$data = unserialize( file_get_contents($file) );
// ...use $data...
}
?>
- Anyone *who can upload a file* (think: Editors, Administrators, Sometimes even Subscribers(!)), or anyone tricking one of those users to do so, could supply a malicious file.
Here’s how a simple serialized object payload can look
<?php
class Evil {
public $cmd = 'id'; // Just for example: Runs 'id' command
function __destruct() {
system($this->cmd);
}
}
// Save object as a serialized string
$payload = serialize(new Evil());
// Write $payload to a file and upload as "import"
file_put_contents('malicious_slider.txt', $payload);
?>
The Evil class here is a dummy example. In real-world attacks, hackers look for *existing classes* in WordPress or its plugins that trigger dangerous code during the destruct, __wakeup, or similar magic methods. This is called a *gadget chain*.
Real example
If a site has the right vulnerable gadget chain, importing this file could execute system('id')—and with a more complex payload, much worse.
Build the exploit - Find out which "gadgets" (PHP classes) are available on the target.
2. Generate a serialized payload - Use PHP tools to serialize an object chain that, when unserialized, triggers malicious code.
3. Trick a user to import the file – This could be an admin being social engineered (“Hey, check out my cool slider! Import it!”).
4. Code execution - The plugin unserializes the file, the payload activates, attacker’s code runs.
Example Exploit Flow Diagram
graph TD
A[Attacker crafts malicious file] --> B[Attacker uploads or tricks admin to upload]
B --> C[Smart Slider 3 plugin unserializes file]
C --> D[Malicious payload triggers code execution]
D --> E[Attacker gains control]
How to Fix
The Smart Slider 3 team fixed this issue in version 3.5.1.11, replacing unsafe unserialize usage with safe alternatives (i.e., using json_decode or strong validation).
Update Now:
If you use Smart Slider 3, *upgrade immediately* to the latest version.
References
- https://wpscan.com/vulnerability/2f43fa6e-d311-4e78-b435-da771d6b584a — WPScan Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2022-3357 — NIST NVD Entry
- https://patchstack.com/database/vulnerability/smart-slider-3/wordpress-smart-slider-3-plugin-3-5-1-10-php-object-injection-via-plugin-import/ — Patchstack Research
Conclusion
CVE-2022-3357 is a textbook example of why it’s dangerous to unserialize data from untrusted sources in PHP. Plugins like Smart Slider 3 are used across millions of sites — so a security lapse here can have huge effects.
If you run Smart Slider 3, update now. If you’re a WordPress developer, never trust imported data, and never use unserialize() on user-provided content.
Stay safe! Protect your WordPress site.
*This post is exclusively written for knowledge sharing. For any questions, feel free to ask below!*
Timeline
Published on: 10/31/2022 16:15:00 UTC
Last modified on: 12/07/2022 02:16:00 UTC