File Read Vulnerability (CVE‑2026‑3098) in Smart Slider 3 Exposes 500K WordPress Sites to Credential Theft
What Happened — A missing capability check in the Smart Slider 3 WordPress plugin (CVE‑2026‑3098) allows any authenticated subscriber‑level user to invoke an export routine that reads arbitrary files, including the critical wp‑config.php. More than 500 000 live sites are still running vulnerable versions.
Why It Matters for TPRM —
- Attackers can harvest database credentials, keys, and salts, enabling full site takeover.
- Third‑party SaaS platforms that embed WordPress sites inherit this risk from their vendors.
- The flaw is trivial to exploit once a low‑privilege account exists, expanding the attack surface of otherwise trusted partners.
Who Is Affected — WordPress‑based websites across all sectors, especially hosted, managed‑service, e‑commerce, and SaaS providers that use the Smart Slider 3 plugin.
Recommended Actions —
- Verify whether any of your third‑party web properties run Smart Slider 3 ≤ 3.5.1.33.
- Apply the 3.5.1.34 patch immediately or replace the plugin.
- Review user‑role configurations; restrict subscriber access where unnecessary.
- Rotate database credentials and API keys for any sites that may have been exposed.
Technical Notes — The vulnerability stems from missing capability checks in the plugin’s AJAX actionExportAll export routine, allowing arbitrary file reads without file‑type or source validation. CVE‑2026‑3098 is rated medium severity (CVSS ≈ 5.5) but poses high impact due to credential exposure. No active exploitation is reported, but proof‑of‑concept exists. Source: BleepingComputer