By rssfeeds-admin 
Vulnerability Overview
Wordfence researchers confirmed on February 23, 2026, that Smart Slider 3, a popular slider builder plugin with more than 800,000 active WordPress installations, contains an Arbitrary File Read vulnerability tracked as CVE-2026-3098.
The flaw carries a CVSS score of 6.5 (Medium) and affects all versions up to and including 3.5.1.33.
The vulnerability was discovered and responsibly disclosed by security researcher Dmitrii Ignatyev through the Wordfence Bug Bounty Program, earning a bounty of $2,208.00.
Technical Details
The vulnerability resides in the actionExportAll() function within the ControllerSliders class, which handles the slider export file download process.
While the plugin’s export process does include a nonce-protected AJAX action, authenticated attackers can obtain the nonce in the vulnerable versions, rendering this protection ineffective.
More critically, the AJAX functions lack any capability checks, meaning any authenticated user, including those with subscriber-level access, can invoke the export action.
The core of the problem lies in the ExportSlider class’s create() function, which processes files during the export operation.
This function contains no file type validation or file source verification, meaning it can export not only legitimate media files like images and videos, but also sensitive server files, including PHP scripts.
As a result, attackers can weaponize the export functionality to retrieve the site’s wp-config.php file, which stores database credentials, authentication keys, and cryptographic salts data that could be used to fully compromise an affected WordPress installation.
The low barrier to exploitation makes this flaw particularly dangerous. An attacker only needs a subscriber-level account, the most basic form of authenticated access on a WordPress site, to trigger the vulnerable export function.
Once exploited, the attacker can package arbitrary server files into a downloadable ZIP archive, effectively exfiltrating configuration data, credentials, or other sensitive server-side content without any elevated privileges.
Wordfence coordinated a responsible disclosure process with the plugin’s developer, Nextend, sharing full vulnerability details on February 24, 2026.
The vendor acknowledged the report on March 2, 2026, and released the fully patched version of Smart Slider 3 version 3.5.1.34 on March 24, 2026.
Wordfence Premium, Care, and Response users received a firewall rule to block exploit attempts starting February 24, 2026, while free-tier Wordfence users received the same protection on March 26, 2026, 30 days later.
WordPress site administrators running Smart Slider 3 are strongly urged to update immediately to version 3.5.1.34 or later.
The following steps are advised:
- Log in to your WordPress dashboard and navigate to Plugins → Installed Plugins
- Locate Smart Slider 3 and apply the available update to version 3.5.1.34
- If Wordfence is installed, confirm that your firewall rules are active and up to date
- Review server logs for any unusual export requests that may indicate prior exploitation attempts
- Rotate database credentials and WordPress security keys/salts if compromise is suspected
With over 800,000 active installations, Smart Slider 3 represents a significant attack surface. Users who have not yet applied the patch should treat this as a high-priority update, particularly given the ease of exploitation and the sensitivity of data that can be exposed.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post WordPress Plugin Flaw Exposes Sensitive Data from 800,000+ Websites appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.