Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Smart Slider 3 arbitrary file read security flaw (CVE-2026-3098)

Vulnerability
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

CVE-2026-3098 exposes Smart Slider 3 sites to arbitrary file read when authenticated users abuse AJAX export actions, putting wp-config.php and database secrets at risk. The flaw affects versions through 3.5.1.33 and can be triggered by subscriber-level accounts with minimal access. Nextendweb shipped 3.5.1.34 to fix the issue, while many sites remained vulnerable at publication.

Related Happenings

WordPress.org closes compromised EssentialPlugin plugins with forced update

Security Tool/Service
First: 15.04.2026 23:33 Last: 15.04.2026 23:33 Sources 1

About this happening: **WordPress.org** closed the compromised **EssentialPlugin** plugins and forced an update, changing how affected sites received and ran the package. The move mattered because the...

Open Happening

Smart Slider 3 Pro update system for WordPress hit by network compromise

Incident
First: 09.04.2026 19:15 Last: 09.04.2026 19:15 Sources 1

About this happening: The **Smart Slider 3 Pro** update system was compromised, and a **malicious 3.5.1.35** release was pushed to **WordPress and Joomla** sites. The bad update could create **hidden a...

Open Happening

CISA KEV listing for Wing FTP CVE-2025-47813

Public Sector Action
First: 17.03.2026 07:23 Last: 17.03.2026 07:23 Sources 1

About this happening: CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...

Open Happening

Gladinet CentreStack and Triofox workaround for CVE-2025-11371

Advisory/Mitigation
First: 10.10.2025 22:08 Last: 10.10.2025 22:08 Sources 1

About this happening: **CentreStack** and **Triofox** are affected by **CVE-2025-11371**, a **local file inclusion zero-day** that threat actors have **abused since late September** to read **Web.confi...

Open Happening

Timeline

  1. 29.03.2026 17:38 1 articles · 1mo ago

    Researcher reports Smart Slider 3 arbitrary file-read flaw

    Initial Disclosure

    Dmitrii Ignatyev reported CVE-2026-3098 in Smart Slider 3 to Wordfence on February 23, after which researchers validated a proof-of-concept exploit and informed Nextendweb. The flaw affects Smart Slider 3 versions through 3.5.1.33 and allows authenticated subscriber-level users to abuse AJAX export actions to read arbitrary server files, including wp-config.php.

    Show sources
    Open in new tab
  2. 29.03.2026 17:38 1 articles · 1mo ago

    Nextendweb releases Smart Slider 3.5.1.34

    Mitigation Patch Update

    Nextendweb delivered a patch on March 24 with the release of Smart Slider version 3.5.1.34 to address CVE-2026-3098 in Smart Slider 3. The vulnerable AJAX export actions lacked file type and source validation, allowing authenticated users to add arbitrary server files to an export archive.

    Show sources
    Open in new tab
  3. 29.03.2026 17:38 2 articles · 1mo ago

    Publication says many Smart Slider 3 sites remain exposed

    Victim Impact Update

    At publication on March 29, Smart Slider 3 was active on more than 800,000 websites, and at least 500,000 WordPress sites were still running a vulnerable version through 3.5.1.33. That exposure left subscriber-level authenticated users able to read sensitive server files, including wp-config.php, on unpatched sites.

    Show sources
    Open in new tab