RSS
← All articles
vulnerability
CVE-2026-3098
2026-03-29

Smart Slider 3 WordPress plugin exposes 800,000+ sites to file theft (CVE-2026-3098)

A flaw in Smart Slider 3 - one of WordPress's most popular slider plugins with over 800,000 active installations - lets anyone with a basic subscriber account download arbitrary files from the server. That includes wp-config.php, which contains database credentials, encryption keys, and salt data. An attacker only needs the lowest level of authenticated access to trigger the vulnerable export function and package sensitive files into a downloadable ZIP.

wordpresssmart-slider-3arbitrary-file-readplugin
Check
Check if you run Smart Slider 3 on any WordPress site, especially sites with open registration.
Affected
Smart Slider 3 versions up to and including 3.5.1.33.
Fix
Update to Smart Slider 3 version 3.5.1.34. Rotate database credentials and salts if you suspect the vulnerability was exploited.
Related Articles
threatHackers bought Google ads pointing to a fake GoDaddy WordPress login page - any site manager who clicked saw their credentials stolen
threatA WordPress redirect plugin used on 70,000 sites was secretly running a hidden update channel that fetched code from an attacker-controlled server for five years
vulnerabilityAttackers actively exploiting critical unauthenticated file upload flaw in Breeze Cache WordPress plugin on 400,000 sites (CVE-2026-3844)