On February 23, 2026, we received a submission for an Arbitrary File Read vulnerability in Smart Slider 3, a WordPress plugin with an estimated more than 800,000 active installations. This vulnerability makes it possible for an authenticated attacker, with subscriber-level permissions or higher, to read arbitrary files on the server, which may contain sensitive information.
Props to Dmitrii Ignatyev who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $2,208.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to our multi-layered approach to security.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on February 24, 2026. Sites using the free version of Wordfence received the same protection 30 days later on March 26, 2026.
We provided full disclosure details to the Nextend team instantly through our Wordfence Vulnerability Management Portal on February 24, 2026. The developer released the patch on March 24, 2026. We would like to commend the Nextend team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of Smart Slider 3, version 3.5.1.34 at the time of this writing, as soon as possible.
π₯π₯π₯ Triple Threat Bug Bounty Challenge π₯π₯π₯
Hunt High Threat vulnerabilities and earn triple the incentives!
Now through April 6, 2026, earn three stacked bonuses on all valid submissions from our ‘High Threat Vulnerabilities’ list:
- π° 2x all high threat vulnerability bounties (excluding 5,000,000+ installs)
- π +30% bonus for high threat vulnerabilities in software with 30,000+ active installs (excluding 5,000,000+ installs)
- π― $300 extra for every 3 High Threat vulnerabilities submitted (minimum of 1,000 installs)
Use the Bounty Estimator to see what rewards are possible through the promotion.
Submit through our Bug Bounty Program today to maximize your impact and your payout.
Vulnerability Summary from Wordfence Intelligence
Smart Slider 3 <= 3.5.1.33 – Authenticated (Subscriber+) Arbitrary File Read via actionExportAll
Technical Analysis
Smart Slider 3 is one of the most popular slider builder WordPress plugins.
The export process includes multiple AJAX actions. Although there is an action which is nonce protected, the nonce can be obtained by authenticated attackers in the vulnerable version of the plugin.
Unfortunately, there is no capability check in these AJAX functions. This made it possible for authenticated users, such as subscribers, to invoke the export AJAX action, and other actions.
Examining the code reveals that the theme uses the actionExportAll() function in the ControllerSliders class to handle the slider export file download. This is the last function in the process.
protected function actionExportAll() {
$slidersModel = new ModelSliders($this);
$groupID = (Request::$REQUEST->getVar('inSearch', false)) ? '*' : Request::$REQUEST->getInt('currentGroupID', 0);
$sliders = $slidersModel->getAll($groupID, 'published');
$ids = Request::$REQUEST->getVar('sliders');
$files = array();
$saveAsFile = count($ids) == 1 ? false : true;
foreach ($sliders as $slider) {
if (!empty($ids) && !in_array($slider['id'], $ids)) {
continue;
}
$export = new ExportSlider($this, $slider['id']);
$files[] = $export->create($saveAsFile);
}
$zip = new Creator();
foreach ($files as $file) {
$zip->addFile(file_get_contents($file), basename($file));
unlink($file);
}
PageFlow::cleanOutputBuffers();
header('Content-disposition: attachment; filename=sliders_unzip_to_import.zip');
header('Content-type: application/zip');
// PHPCS - Contains binary zip data, so nothing to escape.
echo $zip->file(); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
PageFlow::exitApplication();
}
The function calls the ExportSlider class and adds the files to the zip using the create() function.
public function create($saveAsFile = false) {
$this->backup = new BackupData();
$slidersModel = new ModelSliders($this);
if ($this->backup->slider = $slidersModel->get($this->sliderId)) {
$zip = new Creator();
if (empty($this->backup->slider['type'])) {
$this->backup->slider['type'] = 'simple';
}
self::addImage($this->backup->slider['thumbnail']);
$this->backup->slider['params'] = new SliderParams($this->backup->slider['id'], $this->backup->slider['type'], $this->backup->slider['params'], true);
if ($this->backup->slider['type'] == 'group') {
$xref = new ModelSlidersXRef($this);
$sliders = $xref->getSliders($this->backup->slider['id'], 'published');
foreach ($sliders as $k => $slider) {
$export = new self($this->MVCHelper, $slider['slider_id']);
$fileName = $export->create(true);
$zip->addFile(file_get_contents($fileName), 'sliders/' . $k . '.ss3');
unlink($fileName);
}
} else {
$slidesModel = new ModelSlides($this);
$this->backup->slides = $slidesModel->getAll($this->backup->slider['id']);
$sliderType = SliderTypeFactory::getType($this->backup->slider['type']);
$sliderType->export($this, $this->backup->slider);
/** @var AbstractWidget[] $enabledWidgets */
$enabledWidgets = array();
$widgetGroups = WidgetGroupFactory::getGroups();
$params = $this->backup->slider['params'];
foreach ($widgetGroups as $groupName => $group) {
$widgetName = $params->get('widget' . $groupName);
if ($widgetName && $widgetName != 'disabled') {
$widget = $group->getWidget($widgetName);
if ($widget) {
$enabledWidgets[$groupName] = $widget;
}
}
}
foreach ($enabledWidgets as $k => $widget) {
$params->fillDefault($widget->getDefaults());
$widget->prepareExport($this, $params);
}
for ($i = 0; $i < count($this->backup->slides); $i++) {
$slide = $this->backup->slides[$i];
self::addImage($slide['thumbnail']);
$slide['params'] = new Data($slide['params'], true);
self::addImage($slide['params']->get('backgroundImage'));
self::addImage($slide['params']->get('ligthboxImage'));
if ($slide['params']->has('link')) {
// Compatibility fix for the old SS3 import files
self::addLightbox($slide['params']->get('link'));
}
if ($slide['params']->has('href')) {
self::addLightbox($slide['params']->get('href'));
}
$layers = json_decode($slide['slide'], true);
$this->prepareLayer($layers);
if (!empty($slide['generator_id'])) {
$generatorModel = new ModelGenerator($this);
$this->backup->generators[] = $generatorModel->get($slide['generator_id']);
}
}
}
$this->images = array_unique($this->images);
$this->visuals = array_unique($this->visuals);
foreach ($this->images as $image) {
$this->backup->NextendImageManager_ImageData[$image] = ImageManager::getImageData($image, true);
if ($this->backup->NextendImageManager_ImageData[$image]) {
self::addImage($this->backup->NextendImageManager_ImageData[$image]['tablet']['image']);
self::addImage($this->backup->NextendImageManager_ImageData[$image]['mobile']['image']);
} else {
unset($this->backup->NextendImageManager_ImageData[$image]);
}
}
$this->images = array_unique($this->images);
$usedNames = array();
foreach ($this->images as $image) {
$file = ResourceTranslator::toPath($image);
if (Filesystem::fileexists($file)) {
$fileName = strtolower(basename($file));
while (in_array($fileName, $usedNames)) {
$fileName = $this->uniqueCounter . $fileName;
$this->uniqueCounter++;
}
$usedNames[] = $fileName;
$this->backup->imageTranslation[$image] = $fileName;
$zip->addFile(file_get_contents($file), 'images/' . $fileName);
}
}
Unfortunately, this function does not include any file type or file source checks in the vulnerable version. This means that not only image or video files can be exported, but .php files can as well.
This ultimately makes it possible for authenticated attackers with minimal access, like subscribers, to read any arbitrary file on the server, including the siteβs wp-config.php file, which contains the database credentials as well as keys and salts for cryptographic security.
Disclosure Timeline
February 23, 2026 β We received the submission for the Arbitrary File Read vulnerability in Smart Slider 3 via the Wordfence Bug Bounty Program.
February 24, 2026 β We validated the report and confirmed the proof-of-concept exploit.
February 24, 2026 β Full disclosure details were sent instantly to the vendor through our Wordfence Vulnerability Management Portal.
February 24, 2026 β Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
March 2, 2026 β The vendor acknowledged the report and began working on a fix.
March 24, 2026 β The fully patched version of the plugin, 3.5.1.34, was released.
March 26, 2026 β Wordfence Free users received the same protection.
Conclusion
In this blog post, we detailed an Arbitrary File Read vulnerability within the Smart Slider 3 plugin affecting versions 3.5.1.33 and earlier. This vulnerability allows threat actors with subscriber access to read arbitrary files, which can contain sensitive information. The vulnerability has been addressed in version 3.5.1.34 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Smart Slider 3 as soon as possible.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on February 24, 2026. Sites using the free version of Wordfence received the same protection 30 days later on March 26, 2026.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure.
The post 800,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in Smart Slider 3 WordPress Plugin appeared first on Wordfence.
