File read flaw in Smart Slider plugin impacts 500K WordPress sites

A vulnerability in the Smart Slider 3 WordPress plugin, active on more than 800,000 websites, can be exploited to allow subscriber-level users access to arbitrary files on the server.

An authenticated attacker could use it to access sensitive files, such as wp-config.php, which includes database credentials, keys, and salt data, creating the risk for user data theft and complete website takeover.

Smart Slider 3 is one of the most popular WordPress plugins for creating and managing image sliders and content carousels. It offers an easy-to-use drag-and-drop editor and a rich set of templates to choose from.

The security issue, tracked as CVE-2026-3098, was discovered and reported by researcher Dmitrii Ignatyev and impacts all versions of the Smart Slider 3 plugin through 3.5.1.33.

It received a medium severity score due to requiring authentication. However, this only limits the impact to websites with membership or subscription options, a feature that is common on many platforms these days.

The vulnerability stems from missing capability checks in the plugin’s AJAX export actions. This allows any authenticated user, including subscribers, to invoke them.

According to researchers at WordPress security company Defiant, the developer of the Wordfence security plugin, the ‘actionExportAll’ function lacks file type and source validation, thus allowing arbitrary server files to be read and added to the export archive.

The presence of a nonce does not prevent abuse because it can be obtained by authenticated users.

“Unfortunately, this function does not include any file type or file source checks in the vulnerable version. This means that not only image or video files can be exported, but .php files can as well,” says István Márton, a vulnerability research contractor at Defiant.

“This ultimately makes it possible for authenticated attackers with minimal access, like subscribers, to read any arbitrary file on the server, including the site’s wp-config.php file, which contains the database credentials as well as keys and salts for cryptographic security.”

500K websites still vulnerable

On February 23, Ignatyev reported his findings to Wordfence, whose researchers validated the provided proof-of-concept exploit and informed Nextendweb, the developer of Smart Slider 3.

Nextendweb acknowledged the report on March 2 and on March 24 delivered a patch with the release of Smart Slider version 3.5.1.34.

According to WordPress.org stats, the plugin was downloaded 303,428 times over the past week. This means that at least 500,000 WordPress sites are running a vulnerable version of the Smart Slider 3 plugin and are exposed to attacks.

CVE-2026-3098 is not flagged as actively exploited as of writing, but the status may change soon, so prompt action is required by website owners/administrations.

Automated Pentesting Covers Only 1 of 6 Surfaces.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Get Your Copy Now