CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Arbitrary file read vulnerability in Smart Slider 3 plugin exposes WordPress sites to credential theft

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A missing capability check in the Smart Slider 3 WordPress plugin allows authenticated users, including subscribers, to read arbitrary files on the server. This flaw affects over 800,000 active installations and enables access to sensitive files such as wp-config.php, exposing database credentials, cryptographic keys, and salts. The vulnerability, tracked as CVE-2026-3098, was patched in version 3.5.1.34 on March 24, 2026, but approximately 500,000 sites remain unpatched and at risk of user data theft or full site compromise.

Timeline

  1. 29.03.2026 17:38 1 articles · 2h ago

    Patch issued for Smart Slider 3 arbitrary file read vulnerability (CVE-2026-3098)

    Smart Slider 3 version 3.5.1.34, released on March 24, 2026, addresses CVE-2026-3098, a vulnerability allowing authenticated users to read arbitrary server files. The update removes the insecure 'actionExportAll' function and adds capability checks to prevent unauthorized file access. Users are urged to update immediately to prevent credential exposure and potential site takeover.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-3098 is an arbitrary file read vulnerability in Smart Slider 3 affecting all versions through 3.5.1.33.

    First reported: 29.03.2026 17:38
    1 source, 1 article
    Show sources

  • The flaw arises from missing capability checks and absence of file type/source validation in the plugin’s AJAX export actions, specifically the 'actionExportAll' function.

    First reported: 29.03.2026 17:38
    1 source, 1 article
    Show sources

  • Authenticated users, including subscribers with minimal access, can exploit the flaw to read any server file, including wp-config.php which contains database credentials and cryptographic keys.

    First reported: 29.03.2026 17:38
    1 source, 1 article
    Show sources

  • The vulnerability was discovered by researcher Dmitrii Ignatyev, reported on February 23, 2026, and patched in Smart Slider 3.5.1.34 released on March 24, 2026.

    First reported: 29.03.2026 17:38
    1 source, 1 article
    Show sources

  • As of March 29, 2026, the plugin had 800,000+ active installations, with over 303,000 downloads in the past week; an estimated 500,000 sites remain unpatched and vulnerable.

    First reported: 29.03.2026 17:38
    1 source, 1 article
    Show sources

  • The flaw received a CVSS medium severity rating due to requiring authentication, though exploitation could lead to full site compromise and data theft.

    First reported: 29.03.2026 17:38
    1 source, 1 article
    Show sources