Smart Slider 3 Arbitrary File Download Vulnerability CVE-2026-3098

Managed-WP published a security advisory detailing an authenticated arbitrary file read vulnerability in the Smart Slider 3 WordPress plugin. The vulnerability carries the identifier CVE-2026-3098 and affects all versions up to and including 3.5.1.33. An authenticated user with subscriber privileges can exploit the exportAll AJAX action to download arbitrary files from the server filesystem. The root cause lies in inadequate validation of input parameters and insufficient access control on the export endpoint. Attackers can include directory traversal sequences or absolute paths in requests to admin-ajax.php to access files including wp-config.php, configuration data, and backups. The advisory notes that subscriber accounts are commonly available on sites that permit user registration. This exposure of sensitive data could lead to further compromise such as database credential theft. The vendor addressed the issue with a patch released in version 3.5.1.34. The advisory rates the vulnerability as high severity and assigns a CVSS score of 6.5. All WordPress sites running affected versions with subscriber access enabled are at risk. Immediate update to the patched release is advised to prevent exploitation.