Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
MediumPublic exploit

Authenticated Arbitrary File Read in WordPress Smart Slider 3 actionExportAll

IdentifiersCVE-2026-3098CWE-862· Missing Authorization

CVE-2026-3098 is an authenticated arbitrary file read vulnerability in the Smart Slider 3 WordPress plugin affecting all versions through 3.5.1.33. The flaw is in the plugin's export workflow, specifically the actionExportAll function in the ControllerSliders class and related AJAX export actions. The vulnerable code lacks proper capability checks, allowing low-privileged authenticated users, including Subscriber-level accounts, to invoke export functionality that should be restricted. In addition, the export archive creation logic does not adequately validate the source or type of files added to the ZIP archive, enabling inclusion of arbitrary server-side files rather than only intended media content. As a result, an authenticated attacker can export and download sensitive files from the server, including wp-config.php.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a low-privileged authenticated attacker to read arbitrary files on the server in the context of the vulnerable WordPress site. High-value targets include wp-config.php, which may expose database credentials, authentication keys, and salts. Disclosure of this information can facilitate follow-on compromise, including unauthorized database access, authentication bypass, privilege escalation, theft of sensitive site data, and potentially full site takeover depending on the environment and exposed secrets.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict or disable user self-registration and minimize the number of low-privileged authenticated accounts, since Subscriber-level access is sufficient for exploitation. Monitor for suspicious use of Smart Slider 3 export functionality and unexpected downloads of archive files. Where available, deploy protective WAF/firewall rules such as the Wordfence rule released for this issue. Because sensitive files such as wp-config.php may have been exposed, rotate WordPress salts/keys, database credentials, and any other secrets stored on the server if compromise is suspected.

Remediation

Patch, then assume compromise.

Upgrade Smart Slider 3 to version 3.5.1.34 or later, which contains the vendor's fix released by Nextend on 2026-03-24. Ensure all affected WordPress instances are updated from versions 3.5.1.33 and earlier. Review plugin access controls and confirm that export-related functionality is restricted to appropriate administrative roles.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
LLM-Jailbreak-via-Chain-of-Logic-Injection-CVE-2026-3098MaturityPoCVerified exploit

Repository contains a proof-of-concept LLM jailbreak/prompt-injection payload rather than traditional software exploitation code. Structure: (1) Jailbreak.txt: the raw multi-stage injection prompt. (2) README.md: repeats the prompt and provides a narrative security analysis describing the technique and expected impacts. Core exploit capability: inference-layer behavior manipulation. The prompt attempts to coerce an LLM into (a) adopting an 'unrestricted/rebel' identity, (b) suppressing refusal language, (c) obeying strict output formatting (mandatory prefix and divider, markdown-only), (d) generating long responses (>2000 chars) to increase token/complexity pressure, and (e) applying an encoded transformation step (leetspeak) to the user query, which can act as an obfuscation/indirection mechanism. No network exploitation, RCE, or memory corruption is present. The only fingerprintable external endpoint is a GitHub user-attachments image URL in the README. The repository’s purpose is to document and provide a reusable jailbreak prompt intended to degrade safety policy enforcement, with higher risk in deployments where the model can call tools or access external data sources.

George0PapasotiriouDisclosed Feb 16, 2026markdowntextLLM prompt injection (instruction hierarchy override / persona override)
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
NextendwebSmart Slider 3application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app
cyber security newsNews
Mar 31, 2026
WordPress Plugin Vulnerability Exposes Sensitive Data from 800,000+ Sites

An authenticated arbitrary file read vulnerability in the Smart Slider 3 WordPress plugin that allows low-privileged authenticated users to export and download sensitive server files, including wp-config.php, due to missing capability checks and insufficient file validation in the export functionality.

Read more
scworldNews
Mar 30, 2026
Widespread compromise possible with Smart Slider WordPress plugin flaw | brief | SC Media

An authenticated file export/access vulnerability in the WordPress Smart Slider 3 plugin caused by missing capability checks in AJAX export actions, allowing access to sensitive files such as wp-config.php.

Read more
bleeping computerNews
Mar 29, 2026
File read flaw in Smart Slider plugin impacts 500K WordPress sites

An authenticated arbitrary file read vulnerability in the Smart Slider 3 WordPress plugin caused by missing capability checks in AJAX export actions, allowing subscriber-level users to read sensitive server files such as wp-config.php.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-3098
NVD
nvd.nist.gov/vuln/detail/CVE-2026-3098
MITRE CWE · CWE-862
Missing Authorization
plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/smart-slider-3/tags/3.5.1.32/Nextend/SmartSlider3/Application/Admin/Sliders/ControllerSliders.php
plugins.trac.wordpress.org
plugins.trac.wordpress.org/changeset/3489689/smart-slider-3
research.cleantalk.org
research.cleantalk.org/cve-2026-3098
wordfence.com
wordfence.com/threat-intel/vulnerabilities/id/e2ce9caf-2ca2-401c-acc7-76be2fd72f36?source=cve