File read flaw in Smart Slider plugin impacts 500K WordPress sites

By Imthiyaz Ali
File read flaw in Smart Slider plugin impacts 500K WordPress sites

A significant security vulnerability has been identified in Smart Slider 3, one of the most popular WordPress slider plugins. Tracked as CVE-2026-3098, this flaw allows authenticated users—even those with the lowest privilege level (Subscriber)—to read arbitrary files from the host server. With over 800,000 active installations, the impact is widespread, potentially exposing sensitive configuration data and leading to full site takeovers.

The Technical Breakdown: CVE-2026-3098

The vulnerability is classified as an Arbitrary File Read flaw stemming from a Missing Authorization (CWE-862) check within the plugin’s AJAX functionality. Specifically, the issue lies in the actionExportAll function located in the ControllerSliders class.

While the export process utilizes AJAX actions intended for administrators, the plugin failed to implement "capability checks" to verify if the user making the request had the necessary permissions. Furthermore, although a "nonce" (a security token) was present, it was accessible to any authenticated user, allowing them to bypass basic safeguards.

How the Attack Works

  1. Authentication: An attacker logs in with a low-level account (e.g., a Subscriber or Customer).
  2. Nonce Retrieval: The attacker obtains the valid security nonce required for AJAX actions, which is exposed to all logged-in users.
  3. Malicious Request: The attacker sends a crafted POST request to admin-ajax.php, invoking the actionExportAll function with a manipulated file path.
  4. Data Exfiltration: The server executes the request and returns the contents of the requested file, such as wp-config.php.

Impact and Statistics

The severity of this flaw is rated 6.5 (Medium) on the CVSS v3.1 scale, but its practical impact is severe. Access to wp-config.php provides an attacker with:

  • Database Credentials: DB_NAME, DB_USER, and DB_PASSWORD.
  • Authentication Salts: Used to forge session cookies, allowing an attacker to log in as an administrator without a password.
  • Encryption Keys: Potentially exposing other sensitive data stored by the site.
Metric Data
CVE ID CVE-2026-3098
Total Active Installs 800,000+
Estimated Vulnerable Sites ~500,000 (Based on update lag)
Required Privilege Subscriber+
Researcher Bounty $2,208 (Wordfence Bug Bounty)

Discovery and Remediation

The flaw was discovered by researcher Dmitrii Ignatyev and reported via the Wordfence Bug Bounty program on February 23, 2026. The developer, Nextend, acted swiftly to release a patch. However, security telemetry indicates that roughly 500,000 sites remain on outdated, vulnerable versions as of late March 2026.

Recommended Actions for Site Owners

  • Immediate Update: Upgrade Smart Slider 3 to version 3.5.1.34 or higher immediately.
  • Rotate Salts and Keys: If you suspect exposure, generate new Authentication Unique Keys and Salts in your wp-config.php file.
  • Change Database Passwords: Reset your WordPress database password via your hosting control panel.
  • Audit Users: Review all Subscriber and Contributor accounts for any unrecognized or suspicious activity.

Reference Links & Sources

Imthiyaz Ali
Imthiyaz Ali
Imtiyaz is an experienced Cybersecurity Professional with over 5 years of experience in Cybersecurity Research.