- Smart Slider 3 WordPress plugin, utilized by 800,000 sites, revealed a critical Arbitrary File Read vulnerability allowing unauthorized access to sensitive files.
- This exploit permitted low-tier accounts to exfiltrate essential credentials and configuration data through AJAX export functionalities.
- Version 3.5.1.34 contains a patch; however, nearly 500,000 sites remain susceptible, prompting immediate user updates.
A well-known WordPress plugin, operational on a vast number of websites, has been discovered to harbor a significant vulnerability that enables malicious entities to purloin sensitive information, including login credentials.
Smart Slider 3, a tool that empowers users to create dynamic, customizable sliders and visual components sans coding knowledge, boasts over 800,000 active domains utilizing its features.
Nevertheless, versions 3.5.1.33 and earlier exhibit an Arbitrary File Read weakness, which permits authenticated perpetrators to access files stored on the server.
Patching and Securing Websites
The crux of this vulnerability lies within the lacking permission checks in its AJAX export functionalities. Despite the existence of a security token (nonce), the capability for authenticated users to acquire it allows even subscribers to instigate the export process.
The actionExportAll() function ultimately aggregates files into a downloadable .ZIP format using file_get_contents(), neglecting validation of file type or origin.
Consequently, this flaw allows attackers to incorporate even arbitrary server files, such as pivotal configuration files (for instance, wp-config.php), thereby compromising confidential data.
Given that certain files encompass sensitive details, such as credentials, keys, or salt data, the impact of this vulnerability could be quite severe. Yet, due to the requirement for authenticated access to execute the attack, the vulnerability has been assigned a medium severity rating.
However, considerations arise from the commonplace nature of memberships and subscriptions on numerous platforms, potentially amplifying the risk beyond the indicated severity.
This oversight was initially identified by security researcher Dmitrii Ignatyev in late February 2026, and subsequently reported to Wordfence in early March, earning him a $2,200 bounty for his discovery.
Nextendweb, the custodians of Smart Slider 3, have released a remedy with version 3.5.1.34. At present, the latest update has been downloaded 308,575 times, leaving nearly 500,000 sites vulnerable.
As of now, there are no confirmed instances of the exploit being employed in the wild; however, users are strongly encouraged to promptly update their plugins to avert potential targeting.
Protecting WordPress Websites
WordPress, typically regarded as a secure platform with no major vulnerabilities, offers a vast array of third-party, user-generated themes and plugins—both free and premium.
The premium offerings generally have dedicated teams for ongoing maintenance and updates, rendering them less susceptible to malicious attacks.
Conversely, free plugins are frequently crafted by enthusiasts, small teams, or freelance developers. Many exist in a state of abandonment or poor management, despite their popularity, presenting significant security risks.
Security professionals universally advocate for keeping WordPress platforms, themes, and plugins perpetually updated.
They also recommend that users retain only those themes and plugins actively in use and replace any default security and privacy configurations.
Source link: Techradar.com.
