A high-severity security issue has been found in the popular Smart Slider 3 plugin. The plugin has over 800,000 active installations, which means a large number of websites could be at risk. The vulnerability is tracked as CVE-2026-3098. It allows attackers with basic access to download sensitive files from the server. This becomes more dangerous for websites that allow user registration, as even a normal subscriber account can be used to exploit the issue.
The flaw exists in the plugin’s export feature. It is caused by missing permission checks and improper validation when creating export files. Because of this, any logged-in user can trigger the export function and access files that should never be exposed.
The biggest risk here is access to the wp-config.php file. This file contains database credentials and security keys. If an attacker gets this file, they can easily take full control of the website. They can log in without permission, escalate privileges, and even access sensitive user data.
This vulnerability was discovered by security researcher Dmitrii Ignatyev and reported through the Wordfence Bug Bounty Program. The researcher earned a bounty of $2,208.00 for this discovery. Wordfence quickly released a firewall rule to protect users.
The plugin developer Nextend has already fixed the issue. A patched version was released on March 24, 2026. Website owners are strongly advised to update the plugin to version 3.5.1.34 immediately.
This incident once again shows that even popular plugins can have serious security flaws. Website owners should never rely blindly on plugins and must keep everything updated. Regular security audits and proper access control are important to avoid such risks.
If you run a WordPress website and want to keep it secure, our parent company, Techlomedia Internet, offers WordPress development and security services. From building websites to securing them against threats, we can help. If you are interested, feel free to contact us. Check TheWPGuides if you want to learn WordPress.
