Smart Slider 3 File-Read Flaw Exposes WordPress Secrets on 500,000 Sites
A file-read vulnerability in the Smart Slider 3 WordPress plugin could let authenticated users with only subscriber-level access read arbitrary files from the server, including wp-config.php, on more than 500,000 likely unpatched sites. The flaw, tracked as CVE-2026-3098, affects all versions through 3.5.1.33 and stems from missing capability checks and insufficient file validation in the plugin’s AJAX export functionality.
Researcher Dmitrii Ignatyev reported the issue, which was validated by Wordfence before developer Nextendweb released a fix in Smart Slider 3 3.5.1.34. Security reporting said there was no evidence of active exploitation at publication time, but successful attacks could expose database credentials, cryptographic keys, and WordPress salt values, creating a path to broader site compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Public disclosure warns hundreds of thousands of WordPress sites remain exposed
By March 29-30, public reporting disclosed CVE-2026-3098 and warned that although Smart Slider 3 is active on more than 800,000 sites, at least 500,000 WordPress sites likely remained vulnerable because they had not yet updated. Reports said there was no evidence of active exploitation at the time, but successful attacks could expose database credentials, cryptographic keys, and WordPress salts, enabling broader site compromise.
Researcher discovers and reports Smart Slider 3 file-read flaw
Security researcher Dmitrii Ignatyev discovered an arbitrary file-read vulnerability in the Smart Slider 3 WordPress plugin and reported it to Wordfence, which validated the issue and notified plugin developer Nextendweb. The flaw was later tracked as CVE-2026-3098 and affects versions through 3.5.1.33.
Nextendweb releases Smart Slider 3 version 3.5.1.34 to patch CVE-2026-3098
On March 24, Nextendweb released Smart Slider 3 version 3.5.1.34 to fix the authenticated arbitrary file-read vulnerability caused by missing capability checks and insufficient file validation in AJAX export functionality. The bug could allow subscriber-level users to read sensitive files such as wp-config.php.
Wordfence deploys firewall protection for CVE-2026-3098
On 2026-02-24, Wordfence rolled out firewall protections for paid users against the Smart Slider 3 arbitrary file-read flaw later tracked as CVE-2026-3098. The mitigation followed researcher Dmitrii Ignatyev's report through the Wordfence Bug Bounty Program on February 23.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
WordPress Plugin Vulnerability Exposes Sensitive Data from 800,000+ Sites
cybersecuritynews.com
Open sourceWidespread compromise possible with Smart Slider WordPress plugin flaw | brief | SC Media
scworld.com
Open sourceFile read flaw in Smart Slider plugin impacts 500K WordPress sites
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical WordPress Plugin Flaws Expose Sites to File Upload, SQL Injection, and Takeover
Multiple **WordPress plugins** were flagged for severe vulnerabilities that could let attackers take over sites through unauthenticated file upload, SQL injection, arbitrary file deletion, and authorization bypass. References point to issues in plugins including **WP Duplicate**, **Ninja Forms File Upload**, **Ultimate Member**, **Product Addons for WooCommerce**, **CleanTalk Spam Protect**, **Ally**, **Perfmatters**, and **Kali Forms**, alongside identifiers such as **`CVE-2024-48930`**, **`CVE-2025-13192`**, and **`CVE-2026-1104`**. Several flaws were described as allowing arbitrary plugin installation, malicious file upload, or direct database manipulation, creating a path to remote code execution and full site compromise. Wordfence reports indicate the exposure spans **hundreds of thousands of WordPress sites**, with some bugs already under **active exploitation**. The most serious cases include an unauthenticated SQL injection flaw in the **Ally** plugin affecting roughly **400,000 sites**, an arbitrary file deletion issue in **Perfmatters** affecting about **200,000 sites**, and active attacks targeting a critical flaw in **Kali Forms**. Taken together, the disclosures show a broad wave of high-impact plugin security failures that increase the risk of website defacement, malware deployment, data theft, and administrator-level compromise across the WordPress ecosystem.
May 25, 2026
Backdoor RCE Disclosed in WordPress Product Slider Pro for WooCommerce
A critical vulnerability tracked as **CVE-2026-49777** was disclosed in ShapedPlugin's **Product Slider Pro for WooCommerce** WordPress plugin, with reports describing it as a **backdoor** and **supply-chain remote code execution** issue. The flaw was assigned **CWE-1284** and a **CVSS 3.1** score reflecting critical impact (`AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`), indicating that attackers could potentially compromise confidentiality, integrity, and availability without authentication or user interaction. Public reporting shows inconsistent affected-version boundaries, with one source listing versions **before 3.5.3** and another identifying versions **before 3.5.4**, while a Nuclei template pull request labels the issue as **KEV** and ties it to active detection efforts. The CVE record also notes that the vendor said the issue was fixed in an existing release but did not clearly publish a definitive patched version, leaving defenders to verify plugin versions carefully and treat older deployments as potentially exposed until remediation guidance is clarified.
Jun 9, 2026
Critical File Upload Flaws Expose WordPress Plugins to Remote Code Execution
Multiple WordPress plugins were found vulnerable to **unauthenticated arbitrary file upload** flaws that can lead to remote code execution and full site compromise. The most urgent case involves the **Breeze Cache** plugin, where **CVE-2026-3844** affects versions through `2.4.4` when the optional **"Host Files Locally - Gravatars"** feature is enabled. Researchers said the bug stems from missing file-type validation in the `fetch_gravatar_from_remote` function, and BleepingComputer reported that attackers are already exploiting the issue in the wild, with Wordfence observing more than 170 attack attempts. Cloudways released a fix in version `2.4.5`, and defenders were urged to update immediately or disable the Gravatar-related feature until patching is complete. Two additional **Contact Form 7** upload extensions were also disclosed with critical upload weaknesses. **CVE-2026-5718** affects **Drag and Drop Multiple File Upload for Contact Form 7** through `1.3.9.6`, where custom blacklist handling can override the default dangerous-extension denylist and a non-ASCII filename trick can bypass sanitization, allowing attackers to upload PHP files. **CVE-2026-5364** affects **Drag and Drop File Upload for Contact Form 7** through `1.1.3`, where the plugin validates an unsanitized extension but saves a sanitized one, enabling bypasses using special characters such as `$`; researchers noted that `.htaccess` protections and filename randomization may reduce real-world exploitability. Together, the disclosures highlight a broader pattern of insecure file validation in WordPress upload plugins.
Apr 24, 2026