WordPress Plugin Flaw Exposes Sensitive Data on 8 Vulnerability From

A high-severity security flaw has been disclosed in Smart Slider 3, one of the most widely used WordPress slider builder plugins.

With over 800,000 active installations, this vulnerability leaves a massive number of websites exposed to severe data theft.

Tracked as CVE-2026-3098, this medium-severity flaw allows attackers with minimal permissions to access and download highly sensitive configuration files directly from the hosting server.

This vulnerability is particularly dangerous for sites that allow open user registration, as any standard subscriber account can be leveraged to execute an attack.

WordPress Plugin Vulnerability

The vulnerability, categorized as an Authenticated Arbitrary File Read, exists deeply within the plugin’s export functionality. Specifically, the underlying flaw resides in the actionExportAll() function within the ControllerSliders class.

In a normal workflow, this process relies on multiple AJAX requests to compile and download a slider export ZIP file containing images and configuration settings.

While one of these critical actions is protected by a security nonce, authenticated attackers can easily obtain this token in vulnerable versions of the plugin.

More critically, the AJAX functions lack proper capability checks that verify the user’s role before executing the code.

This oversight allows any authenticated user, even those with basic subscriber-level access, to trigger the export action without requiring administrative privileges.

Furthermore, the create () function responsible for building the export zip fails to validate the source or type of the files being added to the archive.

Because the system does not restrict exports exclusively to safe media like image or video files, threat actors can weaponize the feature to export core server files.

This means attackers can easily extract .php extensions, completely bypassing intended WordPress security restrictions. The primary and most critical threat posed by this vulnerability is the potential exposure of the site’s core wp-config.php file.

If an attacker successfully downloads this file, they gain immediate access to database credentials, as well as the cryptographic keys and salts used to secure user sessions.

Armed with this sensitive information, a threat actor could easily bypass authentication, escalate their privileges, and take complete control of the affected web server.

Security researcher Dmitrii Ignatyev discovered the flaw and responsibly reported it through the Wordfence Bug Bounty Program on February 23, 2026, earning a well-deserved $2,208 reward.

Wordfence responded instantly, providing a protective firewall rule to its Premium, Care, and Response users on February 24 to block any incoming exploit attempts.

Sites utilizing the free version of Wordfence received the same protection exactly 30 days later, on March 26, 2026.

The plugin developers at Nextend acknowledged the report. They responded promptly to the disclosure, releasing a fully patched version on March 24, 2026.

Website administrators are strongly urged to update their Smart Slider 3 plugin to version 3.5.1.34 immediately to secure their environments against potential exploitation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.