Smart Slider 3 flaw puts 800,000-plus WordPress sites at risk of sensitive file exposure

Home » News

Yash

News

4 min. read

Published on April 1, 2026

A newly disclosed vulnerability in the WordPress plugin Smart Slider 3 could let low-privilege authenticated users read sensitive files from the server, including wp-config.php in some cases. The flaw, tracked as CVE-2026-3098, affects Smart Slider 3 versions through 3.5.1.33 and has been patched in version 3.5.1.34.

The issue matters because Smart Slider 3 has more than 800,000 active installations, which gives the bug a wide potential footprint even though it requires authentication. Wordfence rated it 6.5 out of 10 and said attackers with Subscriber-level access or higher can exploit it.

Sites that allow user registration face the highest immediate risk because a basic account may be enough to abuse the vulnerable export functionality. Security researchers say that turns a routine feature into a path for reading arbitrary files on the server.

How the vulnerability works

The flaw sits in the plugin’s export workflow, specifically the actionExportAll function. Wordfence says the plugin failed to enforce proper authorization checks, which allowed authenticated users with minimal privileges to trigger an export action they should not have been able to access.

The export logic also failed to safely restrict which files could be added to the generated archive. That opened the door to arbitrary file read, meaning an attacker could potentially package and download sensitive files from the hosting environment instead of only media or slider-related assets.

One of the most serious outcomes involves wp-config.php, which can contain database credentials, authentication keys, salts, and other secrets. If exposed, that data could help an attacker escalate access or move toward full site compromise.

Why this bug is dangerous

The CVSS score is only medium because the flaw needs authentication, but that does not make it harmless. BleepingComputer notes that the requirement for a logged-in account mainly limits exploitation to sites with membership, subscriber, or open registration features, which remain common across WordPress deployments.

That is why the real-world risk can still be high. A plugin installed on a public-facing site with open registrations can turn a low-privilege account into a starting point for reading highly sensitive files from the server.

TechRadar reported that roughly 500,000 sites may still have been unpatched at the time of coverage, despite the plugin’s large install base and the availability of a fix. That gap leaves a large number of websites exposed if administrators delay updates.

Patch timeline and response

Wordfence says researcher Dmitrii Ignatyev reported the vulnerability through its Bug Bounty Program on February 23, 2026. Wordfence validated the issue the next day and sent full disclosure details to the vendor immediately.

The plugin developer patched the issue in Smart Slider 3 version 3.5.1.34. Wordfence also pushed firewall protection to Premium, Care, and Response users on February 24, while users on the free Wordfence tier received the same protection on March 26.

There are no widely cited reports of active exploitation yet, but the usual pattern for WordPress plugin bugs is fast weaponization after public disclosure. That makes patch speed more important than waiting for confirmed attacks in the wild.

Affected and patched versions

Plugin	Affected versions	Patched version	Vulnerability
Smart Slider 3	Up to and including 3.5.1.33	3.5.1.34	Authenticated arbitrary file read

What site owners should do now

Site owners should update Smart Slider 3 to version 3.5.1.34 or later immediately. That is the vendor-backed fix listed by Wordfence and multiple security trackers.

Administrators should also review whether their site allows open registration and whether Subscriber-level users are necessary at all. On sites where registration is open, even a medium-severity authenticated flaw can become much easier to exploit at scale.

If patching was delayed, it is worth reviewing logs for suspicious export activity and checking whether sensitive files may have been packaged or downloaded unexpectedly. Any site that may have exposed wp-config.php should rotate database credentials and WordPress salts as a precaution.

Quick takeaways

CVE-2026-3098 affects Smart Slider 3 through version 3.5.1.33.
The flaw allows authenticated users with Subscriber-level access or higher to read arbitrary files.
Sites with open registration face a higher practical risk.
The issue is fixed in version 3.5.1.34.
More than 800,000 active installations make this a large-scale WordPress exposure.

FAQ

What is CVE-2026-3098?

CVE-2026-3098 is an authenticated arbitrary file read vulnerability in the WordPress plugin Smart Slider 3. It affects versions up to and including 3.5.1.33.

Who can exploit the Smart Slider 3 vulnerability?

Wordfence says authenticated users with Subscriber-level access or higher can exploit the bug.

Why is wp-config.php important in this attack?

That file may contain WordPress database credentials, authentication keys, and salts. If attackers read it, they can gain access to sensitive secrets that help them escalate further.

What version fixes the bug?

Smart Slider 3 version 3.5.1.34 patches the vulnerability.

Yash

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links.

Improve this guide

User forum

0 messages

Sort by: