BleepingComputer reports that at least 500,000 WordPress sites are vulnerable to attacks involving a medium-severity flaw in the Smart Slider 3 plugin, which is used for image slider and content carousel creation and management.All Smart Slider 3 plugin versions through 3.5.1.33 are impacted by the vulnerability, tracked as CVE-2026-3098, which could be exploited by authenticated threat actors to infiltrate wp-config.php and other sensitive files to compromise database credentials and keys, as well as salt data. Such a bug, which originates from a lack of capability checks within the AJAX export actions of the plugin, could be exploited even with the presence of a nonce, according to Defiant security researchers."Unfortunately, this function does not include any file type or file source checks in the vulnerable version. This means that not only image or video files can be exported, but .php files can as well," said researcher Istvan Marton, who noted potential abuse even with minimal access.
Vulnerability Management, Patch/Configuration Management
Widespread compromise possible with Smart Slider WordPress plugin flaw

(Credit: Bilal Ulker – stock.adobe.com)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



