High-Severity Vulnerability in Smart Slider 3 Plugin Exposes 800,000+ WordPress Sites
A critical security flaw (CVE-2026-3098) has been identified in Smart Slider 3, a widely used WordPress plugin with over 800,000 active installations. The vulnerability, classified as an Authenticated Arbitrary File Read, allows attackers with minimal permissions such as subscriber-level access to download sensitive configuration files from affected servers.
The flaw resides in the plugin’s export functionality, specifically within the actionExportAll() function of the ControllerSliders class. While the feature is designed to compile and export slider assets, it lacks proper capability checks and file validation, enabling attackers to bypass security measures. Exploiting this oversight, threat actors can extract core server files, including the wp-config.php file, which contains database credentials, cryptographic keys, and session salts.
If compromised, this data could allow attackers to escalate privileges, bypass authentication, and gain full control of the targeted website. The risk is heightened for sites with open user registration, as even low-privilege accounts can exploit the flaw.
Security researcher Dmitrii Ignatyev discovered the vulnerability and reported it via the Wordfence Bug Bounty Program on February 23, 2026, earning a $2,208 reward. Wordfence deployed a firewall rule to protect Premium, Care, and Response users on February 24, with free users receiving the update on March 26.
The plugin’s developers, Nextend, released a patched version (3.5.1.34) on March 24, 2026, addressing the issue. Administrators are advised to update immediately to mitigate potential exploitation.
Source: https://cybersecuritynews.com/wordpress-plugin-vulnerability-exposes/
nExtend Software & Services cybersecurity rating report: https://www.rankiteo.com/company/nextend-software-&-services
"id": "NEX1774959910",
"linkid": "nextend-software-&-services",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Web Development, Content Management',
'location': 'Global',
'name': 'Smart Slider 3 Plugin Users',
'size': '800,000+ active installations',
'type': 'WordPress Websites'}],
'attack_vector': 'Authenticated Arbitrary File Read',
'data_breach': {'data_exfiltration': 'Possible if exploited',
'file_types_exposed': ['wp-config.php'],
'sensitivity_of_data': 'High (database credentials, '
'cryptographic keys, session salts)',
'type_of_data_compromised': 'Configuration files '
'(wp-config.php)'},
'date_detected': '2026-02-23',
'date_publicly_disclosed': '2026-03-24',
'date_resolved': '2026-03-24',
'description': 'A critical security flaw (CVE-2026-3098) has been identified '
'in Smart Slider 3, a widely used WordPress plugin with over '
'800,000 active installations. The vulnerability, classified '
'as an Authenticated Arbitrary File Read, allows attackers '
'with minimal permissions such as subscriber-level access to '
'download sensitive configuration files from affected servers. '
'The flaw resides in the plugin’s export functionality, '
'enabling attackers to extract core server files, including '
'the wp-config.php file, which contains database credentials, '
'cryptographic keys, and session salts. This could allow '
'attackers to escalate privileges, bypass authentication, and '
'gain full control of the targeted website.',
'impact': {'data_compromised': 'Database credentials, cryptographic keys, '
'session salts',
'identity_theft_risk': 'High (if personally identifiable '
'information is exposed)',
'operational_impact': 'Potential full control of affected websites',
'systems_affected': 'WordPress sites using Smart Slider 3 plugin '
'(800,000+ installations)'},
'investigation_status': 'Resolved',
'lessons_learned': 'Importance of proper capability checks and file '
'validation in plugin functionality to prevent '
'unauthorized access to sensitive files.',
'post_incident_analysis': {'corrective_actions': 'Patch released to address '
'the vulnerability (version '
'3.5.1.34).',
'root_causes': 'Lack of proper capability checks '
'and file validation in the '
'plugin’s export functionality.'},
'recommendations': 'Immediately update Smart Slider 3 to version 3.5.1.34 or '
'later. Sites with open user registration should review '
'subscriber-level permissions and consider additional '
'security measures.',
'references': [{'source': 'Wordfence Bug Bounty Program'}],
'response': {'communication_strategy': 'Public disclosure and advisory',
'containment_measures': 'Firewall rule deployed by Wordfence',
'remediation_measures': 'Patch released (version 3.5.1.34)',
'third_party_assistance': 'Wordfence Bug Bounty Program'},
'stakeholder_advisories': 'WordPress administrators and Smart Slider 3 users '
'advised to update immediately.',
'title': 'High-Severity Vulnerability in Smart Slider 3 Plugin Exposes '
'800,000+ WordPress Sites',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-3098'}