182/69 Tuesday, March 31, 2026
A security vulnerability has been discovered in the widely used Smart Slider 3 plugin for WordPress, which is installed on more than 800,000 websites. The flaw, tracked as CVE-2026-3098, allows low-privileged users such as Subscribers to access sensitive files on the server, including wp-config.php, which contains critical information such as database credentials and security keys. This could lead to data exposure and potential full site compromise.
The vulnerability is caused by insufficient capability checks in the plugin’s AJAX functionality, particularly in the actionExportAll function, which fails to properly validate file types and sources. As a result, authenticated attackers can retrieve arbitrary files from the server. Although a nonce mechanism is implemented, it does not effectively mitigate the issue since logged-in users can still obtain valid nonce values. The vulnerability was discovered by researcher Dmitrii Ignatyev and confirmed by Defiant.
The developers of Smart Slider 3 have released a patch to address this issue in version 3.5.1.34. However, statistics indicate that at least 500,000 websites remain unpatched and are still at risk. While there are currently no confirmed reports of active exploitation, the vulnerability is likely to be targeted in the near future. Administrators are strongly advised to update the plugin to the latest version immediately to mitigate potential attacks.