Smart Slider 3 file read flaw puts hundreds of thousands of WordPress sites at risk

A newly disclosed flaw in the Smart Slider 3 WordPress plugin can let logged-in attackers with low privileges read arbitrary files from the server. The bug, tracked as CVE-2026-3098, affects Smart Slider 3 versions through 3.5.1.33 and has been patched in version 3.5.1.34.

The issue matters because even a subscriber-level account can abuse it on affected sites. According to Wordfence, the vulnerable actionExportAll function lacks proper file type and file source validation, so an authenticated user can read sensitive files such as wp-config.php.

That file can expose database credentials, authentication keys, and salts. In practice, that can turn a medium-severity plugin bug into a much bigger incident, especially on membership sites, community portals, and stores where subscriber accounts are common.

What happened

Wordfence says researcher Dmitrii Ignatyev reported the issue on February 23, 2026. Wordfence validated the proof of concept on February 24 and sent the details to the Smart Slider team the same day.

The plugin developer acknowledged the report on March 2, 2026, then released a fix on March 24, 2026 in Smart Slider 3 version 3.5.1.34. Wordfence published the public advisory on March 26, 2026.

Smart Slider 3 remains one of the most widely used slider plugins in the WordPress ecosystem. Wordfence described it as having more than 800,000 active installations, while the WordPress.com plugin listing also shows 800K active installations and a March 24, 2026 update date.

Why the flaw is serious

The bug requires authentication, which is why it carries a medium severity rating of 6.5 rather than a high or critical score. Even so, the required access level is very low, because a subscriber account is enough to trigger the vulnerable export action.

That makes the risk more practical than the score might suggest. Many WordPress sites allow user registration for newsletters, comments, memberships, courses, support portals, or WooCommerce accounts, so attackers may not need admin access to start abusing the flaw. This is an inference based on the documented subscriber-level requirement and common WordPress deployment patterns.

The biggest danger comes from file exposure. If an attacker reads wp-config.php, they may obtain database credentials and cryptographic secrets that can help with further compromise or full site takeover. Wordfence explicitly warns that the flaw can expose those secrets.

Key details

What site owners should do now

• Update Smart Slider 3 to version 3.5.1.34 immediately.
• Review whether any low-privilege accounts exist that should not have access anymore. This is a prudent step based on the subscriber-level attack requirement.
• Check logs for unusual export-related activity from authenticated users. This recommendation follows from the documented abuse path.
• Rotate database credentials and WordPress salts if you suspect wp-config.php may have been exposed. This is a best-practice response to potential config leakage.

How many sites may still be exposed

One part of the sample article needs caution. It says “at least 500,000” sites still run a vulnerable version, based on recent download volume. That number is not an official count of unpatched installs. It is only an estimate drawn from download activity and total active installations, not direct telemetry from WordPress.org.

What we can say with confidence is that the plugin has a very large installed base, around 800,000 active sites, and that any site still running version 3.5.1.33 or earlier remains vulnerable.

So the safer headline angle is broad exposure, not a precise count of still-vulnerable sites. That keeps the article accurate and avoids presenting an estimate as a confirmed total.

FAQ