1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Around 500,000 WordPress websites could be at risk from crucial p

    From TechnologyDaily@1337:1/100 to All on Monday, March 30, 2026 18:15:30
    Around 500,000 WordPress websites could be at risk from crucial plugin security flaw here's what we know

    Date:
    Mon, 30 Mar 2026 17:05:00 +0000

    Description:
    Hackers can read arbitrary files, including those containing passwords, with this newly discovered WordPress flaw.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Pro Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Become a Member in Seconds Unlock instant access to exclusive member features. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. You are
    now subscribed Your newsletter sign-up was successful Join the club Get full access to premium articles, exclusive features and a growing list of member rewards. Explore An account already exists for this email address, please log in. Subscribe to our newsletter Smart Slider 3 WordPress plugin (used on 800,000 sites) carried Arbitrary File Read flaw enabling access to sensitive server files Vulnerability allowed even low-privileged accounts to exfiltrate credentials and configuration data via AJAX export functions Patch released
    in version 3.5.1.34, but nearly 500K sites remain exposed; users urged to update immediately A popular WordPress plugin used by hundreds of thousands
    of websites reportedly carried a vulnerability which allowed threat actors to steal sensitive information such as login credentials, experts have warned.

    Smart Slider 3, which is currently active on more than 800,000 websites, allows users to create responsive, customizable sliders and visual content blocks without needing to code. However Versions 3.5.1.33 and older were all vulnerable to an Arbitrary File Read flaw, which allows authenticated threat actors to access and read files on the server. Article continues below You
    may like 50,000 WordPress site affected in major plugin security flaw -
    here's how to stay safe Another worrying WordPress plugin security flaw could put 250,000 websites at risk Hackers exploit WordPress plugin security flaw exposing 40,000 websites to complete takeover risk - here's how to stay safe Patching and securing websites The vulnerability in Smart Slider 3 stems from missing permission checks in its AJAX export functions. Although a security token (nonce) exists, authenticated users can obtain it, allowing even low-privileged accounts (like subscribers) to trigger the export process.

    The actionExportAll() function ultimately packages files into a downloadable .ZIP file using file_get_contents() without validating file type or source, and as a result, the attackers can include even arbitrary server files, such as sensitive configuration files (for example, wp-config.php). This lack of restrictions enables authenticated attackers to read confidential data stored on the server.

    Since some of the files contain sensitive information, such as credentials , keys, or salt data, the vulnerability can be rather disruptive. But because the threat actors need to be authenticated to be able to pull off the attack, the vulnerability was given a medium severity score. However, some are saying that memberships and subscription options are common on many platforms these days, suggesting that the risk is greater than what the vulnerabilitys severity score shows.

    The bug was first spotted by security researcher Dmitrii Ignatyev in late February 2026, and reported to Wordfence in early March. He received a $2,200 bounty for his findings. Are you a pro? Subscribe to our newsletter Sign up
    to the TechRadar Pro newsletter to get all the top news, opinion, features
    and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

    Nextendweb, the maintainers of Smart Slider 3, have released a patch with version 3.5.1.34, and at the time of writing, the latest version was downloaded exactly 308,575 times - meaning just under 500,000 websites are still vulnerable.

    Currently, there are no reports of the bug being exploited in the wild, but users are advised to update their plugin as soon as possible to avoid being targeted. Protecting WordPress websites WordPress is a major website building platform (Image credit: Pixabay) As a platform, WordPress is generally considered safe and without known major vulnerabilities. However, it operates a vast repository of third-party, user-built themes and plugins, split into free and premium categories. The latter ones usually come with a dedicated maintenance and development team and as such are regularly updated and hardened against attacks. What to read next Nearly a million WordPress websites could be at risk from this serious plugin security flaw Hackers exploiting WordPress membership plugin bug to create admin accounts More than 40,000 WordPress sites affected by new malware flaw - find out if you're affected

    The free ones, on the other hand, are often built by enthusiasts, small
    teams, and freelance developers. Many of them are abandoned, unmaintained, or otherwise poorly managed, despite being popular among the users. As such,
    they create a huge security risk on one end, and attack opportunity on the other.

    As a general rule of thumb, security researchers advise WordPress users to keep their platform, themes, and plugins updated at all times. Furthermore, they suggest users only keep installed those themes and plugins they actively use and make sure to replace any default security and privacy settings.

    Via BleepingComputer The best antivirus for all budgets Our top picks, based on real-world testing and comparisons

    Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

    And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/around-500-000-wordpress-websites-could -be-at-risk-from-crucial-plugin-security-flaw-heres-what-we-know


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)