Vulnerability Management, Patch/Configuration Management

Widespread compromise possible with Smart Slider WordPress plugin flaw

(Credit: Bilal Ulker – stock.adobe.com)

BleepingComputer reports that at least 500,000 WordPress sites are vulnerable to attacks involving a medium-severity flaw in the Smart Slider 3 plugin, which is used for image slider and content carousel creation and management.

All Smart Slider 3 plugin versions through 3.5.1.33 are impacted by the vulnerability, tracked as CVE-2026-3098, which could be exploited by authenticated threat actors to infiltrate wp-config.php and other sensitive files to compromise database credentials and keys, as well as salt data. Such a bug, which originates from a lack of capability checks within the AJAX export actions of the plugin, could be exploited even with the presence of a nonce, according to Defiant security researchers.

"Unfortunately, this function does not include any file type or file source checks in the vulnerable version. This means that not only image or video files can be exported, but .php files can as well," said researcher Istvan Marton, who noted potential abuse even with minimal access.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds