WordPress Plugin Vulnerabilities

Smart Slider 3 < 3.5.1.34 - Subscriber+ Arbitrary File Read via actionExportAll

Description

The plugin is vulnerable to Arbitrary File Read via the 'actionExportAll' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

Plugin icon
smart-slider-3
Fixed in 3.5.1.34

References

CVE
CVE-2026-3098
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e2ce9caf-2ca2-401c-acc7-76be2fd72f36

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
fd55f132-59a3-497e-87e9-b5e9916da1ad

Timeline

Publicly Published
2026-03-26 (about 1 month ago)
Added
2026-03-30 (about 1 month ago)
Last Updated
2026-03-30 (about 1 month ago)

Other

Published
Title
Published
2026-02-08
Title
Textmetrics < 3.6.5 - Missing Authorization
Published
2026-02-03
Title
Optimize More! – Images <= 1.1.3 - Missing Authorization
Published
2022-11-28
Title
Pie Register < 3.8.1.3 - Unauthenticated Arbitrary User Deletion
Published
2024-01-05
Title
Quiz Maker < 6.5.1.2 - Missing Authorization
Published
2024-01-30
Title
ACF Photo Gallery Field < 2.7 - Missing Authorization