WordPress Plugin Flaw Exposes Sensitive Data Across 800,000+ Sites

A severe security flaw has been disclosed in Smart Slider 3, a highly popular WordPress plugin currently active on more than 800,000 websites.

Discovered by security researcher Dmitrii Ignatyev, this vulnerability enables authenticated attackers to read arbitrary files directly from the hosting server.

If exploited, the flaw exposes critical backend infrastructure to unauthorized users.

Vulnerability Profile

  • CVE Identifier: CVE-2026-3098
  • CVSS Rating: 6.5 (Medium)
  • Affected Software: Smart Slider 3
  • Vulnerable Versions: 3.5.1.33 and earlier
  • Patched Version: 3.5.1.34
  • Vulnerability Type: Authenticated Arbitrary File Read
  • Required Privilege: Subscriber-level or higher

The root cause of this vulnerability lies deep within the plugin’s export architecture.

Smart Slider 3 utilizes a series of AJAX actions to facilitate the exporting of slider data.

Although the plugin developers correctly implemented a nonce token to protect the primary export action, they neglected to enforce strict capability checks.

Because the nonce is accessible to any authenticated user, low-privileged accounts like basic subscribers can easily obtain it and invoke the AJAX request.

During execution, the plugin relies on the actionExportAll() function within the ControllerSliders class to manage the final download of the export file.

This process calls the create() method inside the ExportSlider class, which compresses the targeted data into a ZIP archive.

Unfortunately, the vulnerable versions entirely lack file type validation during this packaging phase.

As a result, the plugin blindly processes and packages system files, including .php scripts, instead of restricting exports solely to multimedia files.

By weaponizing the lack of permission checks in the actionExportAll function, a malicious actor can manipulate the export routine to target sensitive system files.

This vulnerability allows an attacker with mere subscriber access to quietly extract critical configuration data.

The primary target during such an attack is typically the wp-config.php file.

Reading this specific file provides the attacker with plaintext database credentials, secret authentication keys, and cryptographic salts.

Armed with this sensitive information, threat actors can escalate their privileges, manipulate database records, or achieve a complete website takeover.

Ignatyev responsibly disclosed the vulnerability on February 23, 2026, earning a $2,208 bounty through a bug hunting program.

Following validation, protective firewall rules were deployed for premium security customers the next day.

The plugin developer, Nextend, acknowledged the report and promptly released version 3.5.1.34 on March 24, 2026, to fully resolve the missing capability checks.

Website administrators must urgently verify their plugin library and update Smart Slider 3 to version 3.5.1.34 to prevent unauthorized data access.

Related Articles

Back to top button