Smart Slider 3, one of the most popular WordPress slider builder plugins, has a serious security hole that has been found This article explores plugins security hole. . This vulnerability puts a huge number of websites at risk of serious data theft because it has more than 800,000 active installations.

This vulnerability is especially bad for sites that let anyone sign up as a user, because any normal subscriber account can be used to launch an attack. The people who made the plugin at Nextend said they got the report. They quickly fixed the problem and released a fully patched version on March 24, 2026. Website owners should update their SmartSlider 3 plugin to version 3.5.1.34 right away to protect their sites from possible attacks.

The vulnerability, which is an Authenticated Arbitrary File Read, is hidden deep in the plugin's export feature.

If an attacker is able to download this file, they will have instant access to database credentials, as well as the cryptographic keys and salts that protect user sessions. The main and most serious threat from this vulnerability is that it could expose the site's main wp-config.php file. This means that hackers can easily get .php files, which completely breaks the security measures that WordPress put in place.

On February 23, 2026, a security researcher named Dmitrii Ignatyev found the flaw and responsibly reported it through the Wordfence Bug Bounty Program. He received a well-deserved $2,208 reward. The same protection was given to sites that used the free version of Word fence exactly 30 days later, on March 26, 20 1926. The problem has been fixed since then.