800K Sites at Risk from Smart Slider 3 File Read Flaw

Two widely deployed WordPress plugins received critical security patches this week, leaving hundreds of thousands of websites exposed until administrators apply updates. Smart Slider 3, installed on over 800,000 sites, and Amelia Booking Pro both contain vulnerabilities that attackers can exploit with minimal privileges.

The flaws highlight a persistent problem in the WordPress ecosystem: popular plugins with massive install bases often become prime targets for attackers hunting for low-hanging fruit. With 331 new vulnerabilities disclosed in the past week alone, WordPress administrators face an ongoing patching burden that many struggle to maintain.

Smart Slider 3: Any Subscriber Can Read Your Config Files

CVE-2026-3098 affects Smart Slider 3 versions through 3.5.1.33. The vulnerability is an arbitrary file read flaw in the plugin's export functionality, specifically the actionExportAll function. Security researcher Dmitrii Ignatyev discovered and reported the bug to Wordfence on February 23, with a patch delivered in version 3.5.1.34 on March 24.

What makes this vulnerability particularly dangerous is its low barrier to exploitation. Any authenticated user with subscriber-level permissions can access arbitrary files on the server. The plugin's export action lacks proper capability checks and file type validation, allowing attackers to request files that should never be accessible through the web interface.

The files attackers can extract include:

• wp-config.php containing database credentials, authentication keys, and salts
• Database export files with user credentials and content
• Backup archives stored on the server
• Private uploads and any other server-accessible file

While the vulnerability carries a CVSS score of 6.5 (Medium), the real-world impact is severe. Database credentials from wp-config.php can lead to complete site takeover if the database server is remotely accessible. Authentication keys enable session hijacking without needing user passwords.

According to Bleeping Computer's analysis, at least 500,000 WordPress sites are still running vulnerable versions despite the patch being available for five days. Smart Slider 3 averages over 300,000 downloads per week, so the vulnerable population will shrink gradually—but attackers won't wait.

Amelia Booking Pro: Customers Can Reset Admin Passwords

The second critical patch addresses CVE-2026-2931 in Amelia Booking Pro, a popular appointment scheduling plugin. This insecure direct object reference (IDOR) vulnerability carries a CVSS score of 8.8 and affects versions through 9.1.2.

The flaw allows any authenticated user with customer-level access to change arbitrary users' passwords—including administrator accounts. An attacker who creates a legitimate booking account can then craft requests that target admin users, resetting their passwords and taking control of the site.

This attack pattern echoes what we've seen in other WordPress plugin privilege escalation bugs, where seemingly minor authentication weaknesses cascade into full site compromise.

The remediation is straightforward: update Amelia Booking Pro to version 9.2 or later. For sites that cannot update immediately, virtual patching through a web application firewall that validates WordPress nonces on password change actions can provide temporary protection.

Why WordPress Plugins Keep Failing

WordPress powers over 40% of websites on the internet, making its plugin ecosystem an attractive target. The fundamental problem isn't WordPress core—it's the quality variance among the 60,000+ plugins in the official directory. Many are developed by small teams without dedicated security resources, and the WordPress plugin review process focuses primarily on functionality rather than security depth.

The vulnerabilities disclosed this week follow familiar patterns. Smart Slider 3's file read flaw stems from missing authorization checks on an AJAX endpoint—a basic security control that should have been caught in development. Amelia's IDOR bug represents another common failure mode where developers assume user-supplied IDs will only target the requesting user's resources.

These issues aren't unique to these plugins. We've covered similar admin takeover vulnerabilities in Modular DS that scored a perfect CVSS 10.0, and attackers have increasingly weaponized compromised WordPress sites as malware distribution infrastructure.

Recommended Actions

Administrators running either affected plugin should update immediately:

1. Smart Slider 3: Update to version 3.5.1.34 or later
2. Amelia Booking Pro: Update to version 9.2 or later

Beyond these specific patches, WordPress administrators should:

• Enable automatic minor updates for plugins where possible
• Review subscriber accounts for suspicious registrations
• Monitor access logs for unusual requests to plugin AJAX endpoints
• Consider a web application firewall that provides virtual patching for known vulnerabilities
• Audit installed plugins quarterly and remove any that are abandoned or unnecessary

The 331 vulnerabilities disclosed in the past week across WordPress plugins and themes represent a systemic challenge. Staying current with patches isn't optional—it's the baseline requirement for running WordPress safely.