CVE-2026-3098

Root

Cause

The Smart Slider 3 plugin for WordPress (versions up to and including 3.5.1.33) contains an arbitrary file read vulnerability in the actionExportAll function. The core issue is a chain of AJAX actions where some mutation paths lack proper capability checks, and a controller fallback can be abused to export arbitrary files. This allows an authenticated attacker with only Subscriber-level access to read the contents of sensitive server files. [1]

Exploitation

An attacker with Subscriber-level access (or higher) can trigger the vulnerable actionExportAll function. By manipulating slider and image management flows, the attacker can cause the plugin to package arbitrary server files — such as configuration files, credentials, and application secrets — into an exported Smart Slider archive. The archive is then downloadable archive then becomes a clean exfiltration channel for sensitive data. The exploit is publicly known (PoC available) but not yet published), but the details are sufficient to understand the attack chain. [1]

Impact

Successful exploitation allows an attacker to read the contents of arbitrary files on the WordPress server, acquiring sensitive information including database credentials, including credentials and secrets, which should never be accessible to low-privileged users. With over 800,000 active installations, the vulnerability represents a significant risk for sites that permit subscriber registrations, memberships, or WooCommerce accounts, where plugin-assigned permissions are often trusted. [1]

Mitigation

The vendor was contacted on February 26, 2026, and the date of disclosure, and a fix is expected. The plugin's author has been provided with a vulnerability report and recommendations. Users should update to a patch as soon as it becomes available; meanwhile, consider restricting Subscriber-level access or disabling the plugin if possible, disabling the plugin until a safe. [1]