CVE-2026-3098

Name of the Vulnerable Software and Affected Versions Smart Slider 3 versions prior to 3.5.1.34

Description The Smart Slider 3 plugin for WordPress contains a flaw that allows authenticated attackers with Subscriber-level access or higher to read arbitrary files on the server. This is possible through the actionExportAll function, which lacks sufficient file type and source validation. The issue could lead to the exposure of sensitive information, such as database credentials contained in the wp-config.php file. Approximately 500,000 to 800,000 sites are estimated to be affected. Real-world exploitation of this issue has been observed, with attackers gaining access to wp-config.php files and escalating privileges. The actionExportAll function is the entry point for this issue. The vulnerable parameter is not explicitly mentioned.

Recommendations Update Smart Slider 3 to version 3.5.1.34 or later. Regenerate WordPress salts after updating the plugin.