- Smart Slider 3 WordPress plugin (used on 800,000 sites) has an arbitrary file reading flaw that allows access to sensitive server files
- Vulnerability allowed even low-privileged accounts to exfiltrate credentials and configuration data via AJAX export functions
- Patch released in version 3.5.1.34, but nearly 500,000 sites remain exposed; users are encouraged to update immediately
A popular WordPress plugin used by hundreds of thousands of websites reportedly contained a vulnerability that allowed threat actors to steal sensitive information such as login credentials, experts have warned.
Currently active on more than 800,000 websites, Smart Slider 3 allows users to create responsive, custom sliders and visual content blocks without coding.
However, versions 3.5.1.33 and earlier were all vulnerable to an arbitrary file read flaw, which allows authorized threat actors to access and read files on the server.
The article continues below
Patching and securing websites
The vulnerability in Smart Slider 3 stems from a lack of permission checks in its AJAX export functions. Even if a security token (doesn’t) exist, authenticated users can obtain it, allowing even low-privileged accounts (such as subscribers) to trigger the export process.
The ActionExportAll() function ultimately packages files into a downloadable .ZIP file using file_get_contents() without validating the file type or source, and as a result, the attackers can even include arbitrary server files, such as sensitive configuration files (for example, wp-config.php). This lack of restrictions allows authenticated attackers to read confidential data stored on the server.
Since some of the files contain sensitive information, such as credentials, keys or salt data, the vulnerability can be quite disturbing. However, because the threat actors must be authenticated in order to carry out the attack, the vulnerability was given a medium severity score. However, some say memberships and subscription options are “commonplace” on many platforms these days, suggesting the risk is greater than the severity of the vulnerability suggests.
The flaw was first discovered by security researcher Dmitrii Ignatyev in late February 2026 and reported to Wordfence in early March. He received a $2,200 bounty for his findings.
Nextendweb, the maintainers of Smart Slider 3, have released a patch with version 3.5.1.34, and at the time of writing, the latest version has been downloaded exactly 308,575 times – meaning that just under 500,000 websites are still vulnerable.
There are currently no reports of the bug being exploited in the wild, but users are advised to update their plugin as soon as possible to avoid being targeted.
Protection of WordPress websites
As a platform, WordPress is generally considered secure and with no known major vulnerabilities. However, it does run a large repository of third-party, user-built themes and plugins, divided into free and premium categories. The latter usually comes with a dedicated maintenance and development team and as such is regularly updated and hardened against attacks.
The free ones, on the other hand, are often built by enthusiasts, small teams and freelance developers. Many of them are abandoned, unmaintained or otherwise poorly managed, despite being popular with users. As such, they create a huge security risk on one end and attack opportunity on the other.
As a general rule of thumb, security researchers advise WordPress users to keep their platform, themes and plugins up to date at all times. Furthermore, they suggest that users only keep installed the themes and plugins they actively use, and make sure to replace all default security and privacy settings.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
