Critical Flaw in Smart Slider 3 Plugin Affects Over 800K WordPress Sites

Severity: High (Score: 72.0)

Sources: Cybersecuritynews, Gbhackers, Bleepingcomputer

Summary

A severe security vulnerability, tracked as CVE-2026-3098, has been identified in the Smart Slider 3 plugin, impacting over 800,000 WordPress sites. Discovered by researcher Dmitrii Ignatyev, this flaw allows authenticated attackers to read arbitrary files from the server, potentially exposing sensitive data such as database credentials. The vulnerability affects all versions of the plugin up to 3.5.1.33, and while it has not been actively exploited yet, the risk remains significant due to the number of affected sites. The issue arises from the lack of file type and source validation in the 'actionExportAll' function, which can be abused by authenticated users. A patch was released on March 24, 2026, to address this vulnerability. Website administrators are urged to update to version 3.5.1.34 to mitigate the risk. The plugin has seen significant downloads recently, indicating a large potential attack surface. Key Points: • CVE-2026-3098 affects over 800,000 WordPress sites using Smart Slider 3. • Authenticated attackers can exploit the flaw to read sensitive server files. • A patch was released on March 24, 2026; immediate updates are recommended.

Key Entities

• Data Breach (attack_type)
• CVE-2026-3098 (cve)
• Smart Slider 3 (platform)
• WordPress (platform)