**Smart Slider 3**, a popular WordPress plugin used on over 800,000 websites for creating image sliders and content carousels, is vulnerable to a file read vulnerability. This flaw allows even subscriber-level users to access arbitrary files on the server. An authenticated attacker could exploit this vulnerability to access sensitive files like `wp-config.php`, which contains database credentials, keys, and salt data. This access could then lead to user data theft and complete website takeover. ### Vulnerability Details The vulnerability, identified as **CVE-2026-3098**, was discovered by researcher Dmitrii Ignatyev and affects all versions of the **Smart Slider 3** plugin up to and including version 3.5.1.33. It has been assigned a medium severity score due to the requirement for authentication, but the widespread use of membership and subscription features on WordPress sites significantly increases the potential impact. The root cause of the vulnerability lies in missing capability checks within the plugin's AJAX export actions. This allows any authenticated user, including subscribers, to invoke these actions. According to researchers at **Defiant**, the developers of the **Wordfence** security plugin, the `actionExportAll` function lacks sufficient file type and source validation. This enables attackers to read arbitrary server files and add them to the export archive. The presence of a nonce offers no protection, as it can be easily obtained by authenticated users. “Unfortunately, this function does not include any file type or file source checks in the vulnerable version. This means that not only image or video files can be exported, but .php files as well,” says István Márton, a vulnerability research contractor at **Defiant**. “This ultimately makes it possible for authenticated attackers with minimal access, like subscribers, to read any arbitrary file on the server, including the site’s wp-config.php file, which contains the database credentials as well as keys and salts for cryptographic security.” ### Over 500,000 Websites Remain Vulnerable Ignatyev reported the vulnerability to **Wordfence** on February 23rd. **Wordfence** validated the proof-of-concept exploit and subsequently informed **Nextendweb**, the developer of **Smart Slider 3**. **Nextendweb** acknowledged the report on March 2nd and released a patch with version 3.5.1.34 on March 24th. According to WordPress.org stats, the plugin has been downloaded over 300,000 times in the past week. This indicates that at least 500,000 WordPress sites are still running a vulnerable version of the **Smart Slider 3** plugin and are at risk of exploitation. While **CVE-2026-3098** is not currently flagged as actively exploited, this status could change rapidly. Website owners and administrators are strongly advised to update to the latest version of the **Smart Slider 3** plugin immediately.  ## [Automated Pentesting Covers Only 1 of 6 Surfaces.](https://hubs.li/Q048zztN0) Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other. This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.