- Smart Slider 3 WordPress plugin (used on 800,000 sites) carried Arbitrary File Read flaw enabling access to sensitive server files
- Vulnerability allowed even low-privileged accounts to exfiltrate credentials and configuration data via AJAX export functions
- Patch released in version 3.5.1.34, but nearly 500K sites remain exposed; users urged to update immediately
A popular WordPress plugin used by hundreds of thousands of websites reportedly carried a vulnerability which allowed threat actors to steal sensitive information such as login credentials, experts have warned.
Smart Slider 3, which is currently active on more than 800,000 websites, allows users to create responsive, customizable sliders and visual content blocks without needing to code.
However Versions 3.5.1.33 and older were all vulnerable to an Arbitrary File Read flaw, which allows authenticated threat actors to access and read files on the server.
Patching and securing websites
The vulnerability in Smart Slider 3 stems from missing permission checks in its AJAX export functions. Although a security token (nonce) exists, authenticated users can obtain it, allowing even low-privileged accounts (like subscribers) to trigger the export process.
The actionExportAll() function ultimately packages files into a downloadable .ZIP file using file_get_contents() without validating file type or source, and as a result, the attackers can include even arbitrary server files, such as sensitive configuration files (for example, wp-config.php). This lack of restrictions enables authenticated attackers to read confidential data stored on the server.
Since some of the files contain sensitive information, such as credentials, keys, or salt data, the vulnerability can be rather disruptive. But because the threat actors need to be authenticated to be able to pull off the attack, the vulnerability was given a medium severity score. However, some are saying that memberships and subscription options are “common” on many platforms these days, suggesting that the risk is greater than what the vulnerability’s severity score shows.
The bug was first spotted by security researcher Dmitrii Ignatyev in late February 2026, and reported to Wordfence in early March. He received a $2,200 bounty for his findings.
Nextendweb, the maintainers of Smart Slider 3, have released a patch with version 3.5.1.34, and at the time of writing, the latest version was downloaded exactly 308,575 times - meaning just under 500,000 websites are still vulnerable.
Currently, there are no reports of the bug being exploited in the wild, but users are advised to update their plugin as soon as possible to avoid being targeted.
Protecting WordPress websites
As a platform, WordPress is generally considered safe and without known major vulnerabilities. However, it operates a vast repository of third-party, user-built themes and plugins, split into free and premium categories. The latter ones usually come with a dedicated maintenance and development team and as such are regularly updated and hardened against attacks.
The free ones, on the other hand, are often built by enthusiasts, small teams, and freelance developers. Many of them are abandoned, unmaintained, or otherwise poorly managed, despite being popular among the users. As such, they create a huge security risk on one end, and attack opportunity on the other.
As a general rule of thumb, security researchers advise WordPress users to keep their platform, themes, and plugins updated at all times. Furthermore, they suggest users only keep installed those themes and plugins they actively use and make sure to replace any default security and privacy settings.
Via BleepingComputer
