Smart Slider 3 security patch (CVE-2026-3098)
Security Patch Release
Summary
Hide ▲
Show ▼
Nextendweb released Smart Slider version 3.5.1.34 on March 24, 2026, closing CVE-2026-3098 in the Smart Slider 3 WordPress plugin. The patch fixes an arbitrary file-read flaw that let authenticated subscriber-level users access sensitive server files, including wp-config.php. That exposure can reveal database credentials, keys, and salts, raising the risk of user data theft and complete website takeover. The vulnerable range covered versions through 3.5.1.33, affecting more than 800,000 websites with at least 500,000 still exposed.
Related Happenings
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch Release
First: 15.05.2026 18:56
Last: 15.05.2026 18:56
Sources 1
About this happening:
**Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch ReleaseAbout this happening: **Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
Google security patch release for CVE-2026-5858
Security Patch Release
First: 10.04.2026 13:44
Last: 10.04.2026 13:44
Sources 1
About this happening:
**Google** released the first stable **Chrome 147** build, closing **60 vulnerabilities** and raising the browser’s baseline security ahead of broader deployment. The patch bundle...
Google security patch release for CVE-2026-5858
Security Patch ReleaseAbout this happening: **Google** released the first stable **Chrome 147** build, closing **60 vulnerabilities** and raising the browser’s baseline security ahead of broader deployment. The patch bundle...
Smart Slider 3 Pro update system for WordPress hit by network compromise
Incident
First: 09.04.2026 19:15
Last: 09.04.2026 19:15
Sources 1
About this happening:
The **Smart Slider 3 Pro** update system was compromised, and a **malicious 3.5.1.35** release was pushed to **WordPress and Joomla** sites. The bad update could create **hidden a...
Smart Slider 3 Pro update system for WordPress hit by network compromise
IncidentAbout this happening: The **Smart Slider 3 Pro** update system was compromised, and a **malicious 3.5.1.35** release was pushed to **WordPress and Joomla** sites. The bad update could create **hidden a...
Chrome emergency zero-day patch (CVE-2026-3909, CVE-2026-3910)
Security Patch Release
First: 13.03.2026 08:56
Last: 13.03.2026 08:56
Sources 1
About this happening:
**Google** pushed an **emergency Chrome update** for **Stable Desktop users** on **Windows, macOS, and Linux** after confirming **CVE-2026-3909** and **CVE-2026-3910** are **explo...
Chrome emergency zero-day patch (CVE-2026-3909, CVE-2026-3910)
Security Patch ReleaseAbout this happening: **Google** pushed an **emergency Chrome update** for **Stable Desktop users** on **Windows, macOS, and Linux** after confirming **CVE-2026-3909** and **CVE-2026-3910** are **explo...
Latest development: 13.03.2026 11:17
Google discovers and reports CVE-2026-3909, an out-of-bounds write vulnerability in the Skia 2D graphics library, and CVE-2026-3910, an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine, on March 10, 2026; both issues are reachable via crafted HTML pages.
Elementor Ally 4.1.0 security patch release (CVE-2026-2313)
Security Patch Release
First: 11.03.2026 21:38
Last: 11.03.2026 21:38
Sources 1
About this happening:
**Elementor** released **Ally 4.1.0** to fix **CVE-2026-2313**, a **SQL injection** flaw in the WordPress accessibility plugin that could expose **sensitive data**. The update lan...
Elementor Ally 4.1.0 security patch release (CVE-2026-2313)
Security Patch ReleaseAbout this happening: **Elementor** released **Ally 4.1.0** to fix **CVE-2026-2313**, a **SQL injection** flaw in the WordPress accessibility plugin that could expose **sensitive data**. The update lan...
Timeline
-
29.03.2026 17:38 1 articles · 1mo ago
CVE-2026-3098 reported to Wordfence
Initial DisclosureResearcher Dmitrii Ignatyev reports CVE-2026-3098 in Smart Slider 3 to Wordfence after validating that authenticated subscriber-level users can abuse AJAX export actions to read arbitrary server files, including wp-config.php, on versions through 3.5.1.33.
Show sources
- File read flaw in Smart Slider plugin impacts 500K WordPress sites — www.bleepingcomputer.com — 29.03.2026 17:38
-
29.03.2026 17:38 1 articles · 1mo ago
Nextendweb acknowledges the vulnerability report
Untyped PhaseNextendweb acknowledges the Smart Slider 3 vulnerability report after Wordfence validates the proof-of-concept exploit and notifies the plugin developer.
Show sources
- File read flaw in Smart Slider plugin impacts 500K WordPress sites — www.bleepingcomputer.com — 29.03.2026 17:38
-
29.03.2026 17:38 2 articles · 1mo ago
Smart Slider version 3.5.1.34 patch released
Mitigation Patch UpdateNextendweb releases Smart Slider version 3.5.1.34, addressing CVE-2026-3098 in Smart Slider 3 after the vulnerable range through 3.5.1.33 is identified.
Show sources
- File read flaw in Smart Slider plugin impacts 500K WordPress sites — www.bleepingcomputer.com — 29.03.2026 17:38
- File read flaw in Smart Slider plugin impacts 500K WordPress sites — www.bleepingcomputer.com — 29.03.2026 17:38
-
29.03.2026 17:38 1 articles · 1mo ago
Large Smart Slider 3 exposure remains
Victim Impact UpdateMore than 800,000 websites run Smart Slider 3, and at least 500,000 WordPress sites are still exposed by vulnerable versions through 3.5.1.33, leaving authenticated subscriber-level users able to read arbitrary server files such as wp-config.php on unpatched installations.
Show sources
- File read flaw in Smart Slider plugin impacts 500K WordPress sites — www.bleepingcomputer.com — 29.03.2026 17:38