A vulnerability within the Good Slider 3 WordPress plugin, lively on greater than 800,000 web sites, could be exploited to permit subscriber-level customers entry to arbitrary recordsdata on the server.
An authenticated attacker may use it to entry delicate recordsdata, comparable to wp-config.php, which consists of database credentials, keys, and salt information, creating the danger for person information theft and full web site takeover.
Good Slider 3 is likely one of the hottest WordPress plugins for creating and managing picture sliders and content material carousels. It affords an easy-to-use drag-and-drop editor and a wealthy set of templates to select from.
The safety problem, tracked as CVE-2026-3098, was found and reported by researcher Dmitrii Ignatyev and impacts all variations of the Good Slider 3 plugin by 3.5.1.33.
It acquired a medium severity rating resulting from requiring authentication. Nevertheless, this solely limits the affect to web sites with membership or subscription choices, a function that’s frequent on many platforms lately.
The vulnerability stems from lacking functionality checks within the plugin’s AJAX export actions. This permits any authenticated person, together with subscribers, to invoke them.
In keeping with researchers at WordPress safety firm Defiant, the developer of the Wordfence safety plugin, the ‘actionExportAll’ perform lacks file sort and supply validation, thus permitting arbitrary server recordsdata to be learn and added to the export archive.
The presence of a nonce doesn’t stop abuse as a result of it may be obtained by authenticated customers.
“Sadly, this perform doesn’t embody any file sort or file supply checks within the weak model. Which means not solely picture or video recordsdata could be exported, however .php recordsdata can as effectively,” says István Márton, a vulnerability analysis contractor at Defiant.
“This in the end makes it doable for authenticated attackers with minimal entry, like subscribers, to learn any arbitrary file on the server, together with the positioning’s wp-config.php file, which incorporates the database credentials in addition to keys and salts for cryptographic safety.”
500K web sites nonetheless weak
On February 23, Ignatyev reported his findings to Wordfence, whose researchers validated the supplied proof-of-concept exploit and knowledgeable Nextendweb, the developer of Good Slider 3.
Nextendweb acknowledged the report on March 2 and on March 24 delivered a patch with the discharge of Good Slider model 3.5.1.34.
In keeping with WordPress.org stats, the plugin was downloaded 303,428 occasions over the previous week. Which means at the very least 500,000 WordPress websites are working a weak model of the Good Slider 3 plugin and are uncovered to assaults.
CVE-2026-3098 just isn’t flagged as actively exploited as of writing, however the standing could change quickly, so immediate motion is required by web site house owners/administrations.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, exhibits the place protection ends, and gives practitioners with three diagnostic questions for any device analysis.
