Fwd: URGENT: Smart Slider 3 Security Vulnerability

0 views
Skip to first unread message

Dorothy Firsching

unread,
Mar 26, 2026, 3:30:18 PM (10 days ago) Mar 26
to novaj...@googlegroups.com


---------- Forwarded message ---------
From: Phil Taylor <ph...@phil-taylor.com>
Date: Thu, Mar 26, 2026 at 2:13 PM
Subject: URGENT: Smart Slider 3 Security Vulnerability



URGENT: Smart Slider 3 has a critical vulnerability (CVE-2026-3098) that lets any subscriber download your wp-config.php. Your sites are affected. Update now.

⚠ Urgent Security Alert ⚠

mySites.guru
 
Smart Slider 3 Vulnerability

Security

Smart Slider 3 lets anyone download your config files

We're writing to you because one or more of your sites on mySites.guru is running Smart Slider 3, which has a newly disclosed vulnerability that needs your immediate attention.

CVE-2026-3098 (CVSS 6.5) is an arbitrary file read vulnerability in Smart Slider 3 versions 3.5.1.33 and earlier. Any user with a subscriber account can exploit the slider export function to download any file from your server, including wp-config.php (WordPress) or configuration.php (Joomla) with your database credentials and authentication keys.

Update now. Don't wait.

This vulnerability is public knowledge and affects both WordPress and Joomla versions of Smart Slider 3. On WordPress, the exploit requires only a free subscriber account. If any of your sites allow user registration (WooCommerce, membership plugins, open registration), an attacker could already be downloading database credentials, private keys, and every other sensitive file on the server. The Joomla version shares the same vulnerable codebase.

 

 

What you need to do

1

Check your sites in mySites.guru

Open your Smart Slider 3 extension page to see every site with any version installed, then update to 3.5.1.34 using the mass updater.

2

Regenerate your secret keys

WordPress: Generate new values at api.wordpress.org/secret-key and replace the existing constants in wp-config.php. This invalidates any forged session cookies.
Joomla: Regenerate the $secret value in configuration.php. Any random 32+ character string will do.

3

Change your database password

Update DB_PASSWORD in your hosting panel and in wp-config.php or configuration.php. If your config file was read before you patched, the attacker has your database credentials.

4

Audit your user accounts

Check for unauthorized subscriber accounts. The exploit only needs subscriber access, so any unknown user could have been the entry point.

Read the full story on the mySites.guru blog
 

Why this is serious

This is not a theoretical risk. The exploit is straightforward: any authenticated user (even a free subscriber on WordPress, or a registered user on Joomla) can call Smart Slider 3's export function and receive a ZIP file containing any file on the server. There's no special tooling required.

With your wp-config.php or configuration.php in hand, an attacker can forge admin session cookies, connect directly to your database, and maintain persistent access even after you patch the plugin. Sites running WooCommerce, membership plugins, or open registration are at the highest risk. The WordPress and Joomla versions share the same Nextend framework codebase, so both platforms carry identical risk.

Smart Slider 3 has had eight documented vulnerabilities since 2021, three of which required only subscriber access. This is a pattern worth factoring into your risk assessment.

 


Reply all
Reply to author
Forward
0 new messages