A significant security vulnerability has been identified in Smart Slider 3, a highly popular WordPress slider plugin with over 800,000 installations, putting a vast number of websites at risk of data breaches.
This flaw, designated as CVE-2026-3098, is a medium-severity issue that permits attackers with minimal privileges to access and download sensitive configuration files from the server. This vulnerability is particularly alarming for sites that permit open user registration, as even a basic subscriber account can be exploited to carry out an attack.
Understanding the Plugin Vulnerability
The flaw is categorized as an Authenticated Arbitrary File Read and is rooted in the plugin’s export functionality, specifically within the actionExportAll() function of the ControllerSliders class. During normal operations, this function uses multiple AJAX requests to compile and download slider export files.
While one key action in this process is protected by a security nonce, attackers can easily retrieve this token in affected versions of the plugin. The absence of proper capability checks in the AJAX functions further compounds the issue, allowing any authenticated user to execute the export action, bypassing administrative requirements.
Exploiting the Export Function
Moreover, the function responsible for creating the export zip does not validate the source or type of files being included. As a result, threat actors can misuse this feature to export core server files, including .php extensions, effectively circumventing WordPress’s security measures. The most critical risk associated with this vulnerability is the potential exposure of the site’s wp-config.php file.
Should an attacker download this file, they would gain immediate access to database credentials and cryptographic keys, enabling them to bypass authentication, escalate privileges, and seize control of the server.
Response and Mitigation Efforts
Security researcher Dmitrii Ignatyev discovered the vulnerability, reporting it via the Wordfence Bug Bounty Program on February 23, 2026, and received a $2,208 reward. Wordfence acted swiftly, issuing a firewall rule to block exploit attempts for its Premium, Care, and Response users on February 24, with free users receiving protection on March 26.
The plugin’s developers, Nextend, acknowledged the issue and released a fully patched version on March 24, 2026. Website administrators are strongly advised to update their Smart Slider 3 plugin to version 3.5.1.34 immediately to protect their sites from potential attacks.
Stay informed with our daily cybersecurity updates on Google News, LinkedIn, and X. Contact us to share your stories.
