Security Flaw in Smart Slider 3 Plugin Poses Risk to Over 800,000 Websites
A significant vulnerability has been identified within the Smart Slider 3 plugin for WordPress, utilized by more than 800,000 sites. This flaw allows authenticated users with subscriber-level permissions to gain access to arbitrary files stored on the server.
An adversarial intruder could exploit this vulnerability to uncover sensitive files, including the crucial wp-config.php file. This file contains essential information, such as database credentials and security keys, heightening the risk of data breaches and potential full website compromise.
Smart Slider 3 ranks among the most popular WordPress plugins, facilitating the creation and management of image sliders and content carousels through an intuitive drag-and-drop interface and an extensive array of customizable templates.
The security vulnerability, designated as CVE-2026-3098, was uncovered and reported by researcher Dmitrii Ignatyev. It affects all iterations of the Smart Slider 3 plugin up to version 3.5.1.33.
With a medium severity rating, the vulnerability requires user authentication for exploitation. However, its implications extend to numerous websites that incorporate membership or subscription functionalities, a prevalent feature in contemporary web platforms.
The root of the issue lies in the inadequate capability checks in the plugin’s AJAX export processes, allowing any authenticated user, including subscribers, to execute these actions.
According to experts from WordPress security firm Defiant, the developer behind the Wordfence security plugin, the actionExportAll function notably lacks validation for file types and sources.
Consequently, this oversight permits unauthorized reading of server files, which could be included in the export archive.
The inclusion of a nonce fails to mitigate this risk, as authenticated users can readily acquire this token. Regrettably, this function does not incorporate necessary file type or source checks in the vulnerable version.
Hence, it permits not only the export of images or videos, but also .php files, states István Márton, a vulnerability research contractor at Defiant.
“This ultimately enables authenticated attackers—who possess minimal access, such as subscribers—to read any arbitrary file on the server, including critical files such as wp-config.php, which holds essential database credentials as well as cryptographic keys and salts.”
A staggering number of Websites Remain At Risk
On February 23, Ignatyev disclosed his findings to Wordfence, whose team subsequently verified the proof-of-concept exploit and notified Nextendweb, the developer behind Smart Slider 3.
Nextendweb acknowledged the report on March 2 and responded with a patch through the release of Smart Slider version 3.5.1.34 on March 24.
According to WordPress.org statistics, the plugin saw 303,428 downloads in the preceding week. This translates to at least 500,000 WordPress sites operating on vulnerable versions of the Smart Slider 3 plugin, leaving them susceptible to potential attacks.
As of now, CVE-2026-3098 is not classified as actively exploited; however, this status may evolve swiftly. Therefore, immediate action is advocated for website owners and administrators.
Source link: Bleepingcomputer.com.
