Full Report
A vulnerability in the Smart Slider 3 WordPress plugin, active on more than 800,000 websites, can be exploited to allow subscriber-level users access to arbitrary files on the server. [...]
Analysis Summary
# Vulnerability: Arbitrary File Read in Smart Slider 3 WordPress Plugin
## CVE Details
- **CVE ID:** CVE-2026-3098
- **CVSS Score:** Medium (Score not explicitly provided in text, but categorized as Medium due to authentication requirements)
- **CWE:** Missing Authorization; Path Traversal (implied)
## Affected Systems
- **Products:** Smart Slider 3 (WordPress Plugin)
- **Versions:** All versions up to and including 3.5.1.33
- **Configurations:** WordPress installations where the plugin is active and user registration (subscriber level) is enabled.
## Vulnerability Description
The vulnerability exists within the plugin’s AJAX export functionality, specifically the `actionExportAll` function. The flaw stems from a lack of capability checks and insufficient file type/source validation.
While the function utilizes a nonce for security, authenticated users (even at the lowest privilege level, such as "Subscriber") can obtain this nonce. Because the function does not verify if the requested files are restricted types (like `.php`), an attacker can manipulate the export process to include arbitrary server files—such as `wp-config.php`—into an export archive, which is then accessible to the attacker.
## Exploitation
- **Status:** PoC available (validated by researchers); No active exploitation reported in the wild as of March 29, 2026.
- **Complexity:** Low (Requires only standard subscriber-level access)
- **Attack Vector:** Network (Authenticated)
## Impact
- **Confidentiality:** High (Access to sensitive configuration files, database credentials, and cryptographic salts)
- **Integrity:** Medium/High (Indirect; database credentials can lead to unauthorized site modification or takeover)
- **Availability:** Low/Medium (Depending on whether an attacker uses credentials to disrupt services)
## Remediation
### Patches
- **Upgrade to Smart Slider version 3.5.1.34** or higher. This version, released on March 24, includes the necessary capability checks and file validation.
### Workarounds
- Disable user registration for untrusted parties if the plugin cannot be updated immediately.
- Implement a Web Application Firewall (WAF) to monitor and block suspicious AJAX requests to the `actionExportAll` endpoint.
## Detection
- **Indicators of Compromise:** Review web server access logs for unusual AJAX requests involving `smart-slider-3` export actions initiated by low-privilege users.
- **Detection methods and tools:** Wordfence and other WordPress security scanners can identify vulnerable versions of the plugin. Security teams should audit for the presence of exported archives in the plugin's temporary directories.
## References
- Wordfence Advisory: hxxps[://]www[.]wordfence[.]com/blog/2026/03/800000-wordpress-sites-affected-by-arbitrary-file-read-vulnerability-in-smart-slider-3-wordpress-plugin/
- WordPress Plugin Repository: hxxps[://]wordpress[.]org/plugins/smart-slider-3/
- BleepingComputer Reference: hxxps[://]www[.]bleepingcomputer[.]com/news/security/file-read-flaw-in-smart-slider-plugin-impacts-500k-wordpress-sites/