File Read Flaw - Vulnerability in Smart Slider Plugin
Basically, a flaw in a popular WordPress plugin lets some users see private files on websites.
A vulnerability in the Smart Slider 3 plugin threatens over 500,000 WordPress sites, allowing unauthorized file access. Site owners must update their plugins immediately to mitigate risks.
What Happened
A serious vulnerability has been discovered in the Smart Slider 3 WordPress plugin, which is currently active on over 800,000 websites. This flaw, identified as CVE-2026-3098, allows authenticated users, even those with minimal access like subscribers, to read arbitrary files on the server. This includes sensitive files such as wp-config.php, which contains critical database credentials and security keys. The vulnerability arises from missing capability checks in the plugin's AJAX export actions, enabling unauthorized file access.
The issue was reported by researcher Dmitrii Ignatyev on February 23, and after validation by Wordfence, the plugin's developer, Nextendweb, acknowledged the report on March 2. A patch was released on March 24, but many sites remain vulnerable as the plugin continues to be widely downloaded.
Who's Affected
The vulnerability affects at least 500,000 WordPress sites that are running vulnerable versions of the Smart Slider 3 plugin. This is particularly concerning for sites that utilize membership or subscription features, as these are often where subscriber-level access is granted. With 303,428 downloads of the plugin in just the past week, the number of potentially affected sites could rise, posing a significant risk to user data and website integrity.
Website administrators need to be aware that while the flaw is not currently flagged as actively exploited, this status could change rapidly. The potential for attackers to access sensitive data makes it imperative for site owners to act quickly.
What Data Was Exposed
The data at risk includes sensitive files on the server that could be accessed by authenticated users. This includes:
- wp-config.php: Contains database credentials and security keys.
- Other arbitrary files: Any file on the server could potentially be accessed, leading to data theft or complete website takeover.
The lack of file type and source validation in the plugin's export functionality means that not just images or videos can be exported, but also critical PHP files, increasing the risk of exploitation.
What You Should Do
Website owners using the Smart Slider 3 plugin should take immediate action to secure their sites. Here are the recommended steps:
- Update the Plugin: Ensure that you are using the latest version (3.5.1.34 or later) of the Smart Slider 3 plugin, which includes the necessary security patch.
- Review User Access: Audit user roles and permissions to minimize the risk of unauthorized access.
- Monitor for Suspicious Activity: Keep an eye on your website for any unusual behavior or unauthorized file access attempts.
Taking these steps will help protect your website from potential exploitation and safeguard sensitive data.