Smart Slider 3 WordPress plugin exposes 800,000+ sites to file theft (CVE-2026-3098)

A flaw in Smart Slider 3 - one of WordPress's most popular slider plugins with over 800,000 active installations - lets anyone with a basic subscriber account download arbitrary files from the server. That includes wp-config.php, which contains database credentials, encryption keys, and salt data. An attacker only needs the lowest level of authenticated access to trigger the vulnerable export function and package sensitive files into a downloadable ZIP.

Check

Check if you run Smart Slider 3 on any WordPress site, especially sites with open registration.

Affected

Smart Slider 3 versions up to and including 3.5.1.33.

Fix

Update to Smart Slider 3 version 3.5.1.34. Rotate database credentials and salts if you suspect the vulnerability was exploited.