CVE-2022-3357 - How a Smart Slider 3 Vulnerability Could Let Hackers Take Over WordPress Sites

In November 2022, a critical vulnerability was discovered in the popular Smart Slider 3 WordPress plugin. Identified as CVE-2022-3357, this security flaw could allow an attacker to take full control over a website, just by tricking someone into importing a specially-crafted file. In this post, we’ll walk through what this bug is, how it works, and how someone could exploit it, using real code snippets and easy-to-understand examples.

What is Smart Slider 3?

Smart Slider 3 is a very popular WordPress plugin for creating eye-catching sliders and banners. It’s used by over 900,000 sites, making any vulnerability in this plugin a big deal.

The Problem: Untrusted Data Leads to Dangerous Code Execution

Before version 3.5.1.11, Smart Slider 3 had a dangerous function inside its import feature. When someone imported a project, the plugin ran the following PHP command under the hood:

$data = unserialize( file_get_contents($imported_file) );

The problem? PHP’s unserialize() can be *very* risky when used on user-provided data. If an attacker uploads a malicious file containing specific PHP serialized objects ("gadget chains"), the unserialize function could cause the site to execute attacker-controlled PHP code.

Why is This Bad?

- Object Injection: Attackers could exploit the unserialize() function to run *any* code they want, if the environment has suitable PHP classes (“gadgets”).
- RCE (Remote Code Execution): In the worst case, this could let hackers add backdoors, upload malicious files, or take over the whole website.

Inside the plugin’s import feature, the code looked something like this (simplified)

<?php
if ( isset($_FILES['import_file']) ) {
    $file = $_FILES['import_file']['tmp_name'];
    // This is risky - import file content is user-controlled
    $data = unserialize( file_get_contents($file) );
    // ...use $data...
}
?>

- Anyone *who can upload a file* (think: Editors, Administrators, Sometimes even Subscribers(!)), or anyone tricking one of those users to do so, could supply a malicious file.

Here’s how a simple serialized object payload can look

<?php
class Evil {
    public $cmd = 'id'; // Just for example: Runs 'id' command
    function __destruct() {
        system($this->cmd);
    }
}
// Save object as a serialized string
$payload = serialize(new Evil());
// Write $payload to a file and upload as "import"
file_put_contents('malicious_slider.txt', $payload);
?>

The Evil class here is a dummy example. In real-world attacks, hackers look for *existing classes* in WordPress or its plugins that trigger dangerous code during the destruct, __wakeup, or similar magic methods. This is called a *gadget chain*.

Real example

If a site has the right vulnerable gadget chain, importing this file could execute system('id')—and with a more complex payload, much worse.

Build the exploit - Find out which "gadgets" (PHP classes) are available on the target.

2. Generate a serialized payload - Use PHP tools to serialize an object chain that, when unserialized, triggers malicious code.
3. Trick a user to import the file – This could be an admin being social engineered (“Hey, check out my cool slider! Import it!”).
4. Code execution - The plugin unserializes the file, the payload activates, attacker’s code runs.

Example Exploit Flow Diagram

graph TD
A[Attacker crafts malicious file] --> B[Attacker uploads or tricks admin to upload]
B --> C[Smart Slider 3 plugin unserializes file]
C --> D[Malicious payload triggers code execution]
D --> E[Attacker gains control]

How to Fix

The Smart Slider 3 team fixed this issue in version 3.5.1.11, replacing unsafe unserialize usage with safe alternatives (i.e., using json_decode or strong validation).

Update Now:  
If you use Smart Slider 3, *upgrade immediately* to the latest version.

References

- https://wpscan.com/vulnerability/2f43fa6e-d311-4e78-b435-da771d6b584a — WPScan Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2022-3357 — NIST NVD Entry
- https://patchstack.com/database/vulnerability/smart-slider-3/wordpress-smart-slider-3-plugin-3-5-1-10-php-object-injection-via-plugin-import/ — Patchstack Research

Conclusion

CVE-2022-3357 is a textbook example of why it’s dangerous to unserialize data from untrusted sources in PHP. Plugins like Smart Slider 3 are used across millions of sites — so a security lapse here can have huge effects.

If you run Smart Slider 3, update now. If you’re a WordPress developer, never trust imported data, and never use unserialize() on user-provided content.

Stay safe! Protect your WordPress site.

*This post is exclusively written for knowledge sharing. For any questions, feel free to ask below!*

Timeline

Published on: 10/31/2022 16:15:00 UTC
Last modified on: 12/07/2022 02:16:00 UTC