Arbitrary file read in Smart Slider 3 exposes mass WordPress installation risk through subscriber escalation
A file read vulnerability in Smart Slider 3 WordPress plugin allows subscriber-level users to access arbitrary files on affected servers. With 800,000+ installations, this represents a significant exposure vector for sensitive configuration files and database credentials.
Affected
Smart Slider 3, installed on over 800,000 WordPress sites, contains a file read vulnerability that permits subscriber-level users (the lowest authenticated user role in WordPress) to retrieve arbitrary files from the server filesystem. This is significant because subscribers typically have minimal permissions, making this a clear privilege escalation path that bypasses WordPress' native access controls.
The vulnerability likely stems from inadequate path traversal protection or missing capability checks in a file serving endpoint. An attacker with subscriber credentials can read files outside the intended scope, potentially including wp-config.php (which contains database credentials),.env files, or other sensitive configuration data. The low barrier to exploitation is critical: obtaining a subscriber account requires either a legitimate but compromised user or exploiting a separate authentication weakness, but the plugin flaw itself does not require admin access.
The scale of impact is substantial. With approximately 800,000 active installations, even a 5% exploitation rate would affect 40,000 sites. WordPress plugin vulnerability disclosure patterns suggest this flaw may already be known in security circles, making rapid patching essential. The subscriber-level access requirement means any site with open registration or compromised user credentials becomes an attack vector.
Defenders should immediately apply available patches if released, or disable Smart Slider 3 pending remediation. Website administrators should review file access logs for unusual read patterns and consider restricting subscriber creation on sites requiring minimal user functionality. For managed WordPress hosting providers, this warrants rapid patching at the platform level.
This incident illustrates a persistent plugin ecosystem weakness: security vetting often focuses on admin-level vulnerabilities, while lower-privileged access paths receive less attention during code review. The large installed base means any published exploit code will be rapidly weaponised across the web.
Sources