A vulnerability in the Smart Slider 3 WordPress plugin, installed on over 800,000 sites, allows authenticated subscriber-level users to read arbitrary server files—including wp-config.php—putting database credentials, keys, and salts at risk and enabling full site takeover. Tracked as CVE-2026-3098 and fixed in version 3.5.1.34, the flaw stems from missing capability and file-type checks in AJAX export actions and leaves roughly 500,000 sites still running vulnerable versions that should update immediately. #SmartSlider3 #CVE-2026-3098
Keypoints
- The Smart Slider 3 plugin contains an authenticated arbitrary file read vulnerability.
- The flaw (CVE-2026-3098) affects all versions through 3.5.1.33 and was reported by Dmitrii Ignatyev.
- Missing capability, file-type, and source checks in the actionExportAll AJAX export allow subscribers to export .php and other sensitive files.
- Exposure of wp-config.php can leak database credentials, authentication keys, and salts, enabling data theft and complete website takeover.
- Nextendweb released a patch in 3.5.1.34 on March 24, but approximately 500,000 sites remain vulnerable and should apply the update immediately.