Skip to content
Tech News
← Back to articles

File read flaw in Smart Slider plugin impacts 500K WordPress sites

2026-03-29 | original
read original get WordPress Security Plugin → more articles
Why This Matters

The vulnerability in the Smart Slider 3 plugin poses a significant security risk for WordPress sites, especially those with membership features, by allowing authenticated users to access sensitive server files. This could lead to data theft, credential exposure, and potential site takeovers, highlighting the importance of timely updates and security vigilance for website owners and developers.

Key Takeaways

A vulnerability in the Smart Slider 3 WordPress plugin, active on more than 800,000 websites, can be exploited to allow subscriber-level users access to arbitrary files on the server.

An authenticated attacker could use it to access sensitive files, such as wp-config.php, which includes database credentials, keys, and salt data, creating the risk for user data theft and complete website takeover.

Smart Slider 3 is one of the most popular WordPress plugins for creating and managing image sliders and content carousels. It offers an easy-to-use drag-and-drop editor and a rich set of templates to choose from.

The security issue, tracked as CVE-2026-3098, was discovered and reported by researcher Dmitrii Ignatyev and impacts all versions of the Smart Slider 3 plugin through 3.5.1.33.

It received a medium severity score due to requiring authentication. However, this only limits the impact to websites with membership or subscription options, a feature that is common on many platforms these days.

The vulnerability stems from missing capability checks in the plugin’s AJAX export actions. This allows any authenticated user, including subscribers, to invoke them.

According to researchers at WordPress security company Defiant, the developer of the Wordfence security plugin, the 'actionExportAll' function lacks file type and source validation, thus allowing arbitrary server files to be read and added to the export archive.

The presence of a nonce does not prevent abuse because it can be obtained by authenticated users.

“Unfortunately, this function does not include any file type or file source checks in the vulnerable version. This means that not only image or video files can be exported, but .php files can as well,” says István Márton, a vulnerability research contractor at Defiant.

“This ultimately makes it possible for authenticated attackers with minimal access, like subscribers, to read any arbitrary file on the server, including the site’s wp-config.php file, which contains the database credentials as well as keys and salts for cryptographic security.”

... continue reading

Explore topics: smart slider wordpress cve-2026-3098 wp-config.php wordfence
Related:
I decompiled the White House's new app
WordPress.com now lets AI agents write and publish posts, and more
You Can Now Let an AI Agent Modify Your WordPress.com Website
WordPress launches an in-browser website creator
WordPress debuts a private workspace that runs in your browser via a new service, my.WordPress.net

© 2026 GoKawiil

About | Editorial Policy | Contact