CVE-2026-3098 - Smart Slider 3 - LFI (Subscriber+) Vulnerability Overview This vulnerability affects the Smart Slider 3 plugin, allowing authenticated low-privilege users (such as Subscribers) to perform arbitrary Local File Inclusion (LFI) through normal slider and image management workflows. Attackers can package server file contents into exported Smart Slider archives, enabling the download and offline inspection of configuration files, credentials, and application keys. Scope of Impact Plugin Version: Smart Slider 3 <= 3.5.133 Active Installations: 800,000+ Release Date: March 26, 2026 Researcher: Dmitrii Ignatyev POC Code Remediation Core Fix: The fix must address multiple points in the exploitation chain, as the chain's success depends on the absence or inconsistency of multiple controls. Specific Recommendations: - Every Smart Slider 3 operation must enforce strict permission checks when modifying state. - These checks must align with the plugin's permission model. - Paths should not rely on the existence of ; instead, image paths must be validated to ensure they are not absolute filesystem paths, accepting only media library references or verified URLs. - The export routine must not read arbitrary file paths from stored data unless they correspond to attachment IDs resolved to internally uploaded files. - Controller routes must not allow fallback behaviors that read controlled controllers or actions; export endpoints must require strict permissions and validated server-side nonces. - Owners should reduce exposure and rotate keys if there are any signs of suspicious file disclosure.