- Good Slider 3 WordPress plugin (used on 800,000 websites) carried Arbitrary File Learn flaw enabling entry to delicate server recordsdata
- Vulnerability allowed even low-privileged accounts to exfiltrate credentials and configuration knowledge by way of AJAX export capabilities
- Patch launched in model 3.5.1.34, however almost 500K websites stay uncovered; customers urged to replace instantly
A well-liked WordPress plugin utilized by tons of of hundreds of internet sites reportedly carried a vulnerability which allowed menace actors to steal delicate data comparable to login credentials, specialists have warned.
Good Slider 3, which is at the moment energetic on greater than 800,000 web sites, permits customers to create responsive, customizable sliders and visible content material blocks without having to code.
Nonetheless Variations 3.5.1.33 and older have been all susceptible to an Arbitrary File Learn flaw, which permits authenticated menace actors to entry and skim recordsdata on the server.
Article continues under
You could like
Patching and securing web sites
The vulnerability in Good Slider 3 stems from lacking permission checks in its AJAX export capabilities. Though a safety token (nonce) exists, authenticated customers can get hold of it, permitting even low-privileged accounts (like subscribers) to set off the export course of.
The actionExportAll() operate finally packages recordsdata right into a downloadable .ZIP file utilizing file_get_contents() with out validating file sort or supply, and consequently, the attackers can embrace even arbitrary server recordsdata, comparable to delicate configuration recordsdata (for instance, wp-config.php). This lack of restrictions permits authenticated attackers to learn confidential knowledge saved on the server.
Since a few of the recordsdata include delicate data, comparable to credentials, keys, or salt knowledge, the vulnerability could be reasonably disruptive. However as a result of the menace actors have to be authenticated to have the ability to pull off the assault, the vulnerability was given a medium severity rating. Nonetheless, some are saying that memberships and subscription choices are “frequent” on many platforms today, suggesting that the chance is bigger than what the vulnerability’s severity rating exhibits.
The bug was first noticed by safety researcher Dmitrii Ignatyev in late February 2026, and reported to Wordfence in early March. He obtained a $2,200 bounty for his findings.
Nextendweb, the maintainers of Good Slider 3, have launched a patch with model 3.5.1.34, and on the time of writing, the newest model was downloaded precisely 308,575 occasions – which means just below 500,000 web sites are nonetheless susceptible.
Presently, there are not any studies of the bug being exploited within the wild, however customers are suggested to replace their plugin as quickly as potential to keep away from being focused.
Defending WordPress web sites
WordPress is a significant web site constructing platform (Picture credit score: Pixabay)
As a platform, WordPress is mostly thought-about protected and with out identified main vulnerabilities. Nonetheless, it operates an enormous repository of third-party, user-built themes and plugins, cut up into free and premium classes. The latter ones often include a devoted upkeep and growth staff and as such are frequently up to date and hardened in opposition to assaults.
What to learn subsequent
The free ones, however, are sometimes constructed by fans, small groups, and freelance builders. Lots of them are deserted, unmaintained, or in any other case poorly managed, regardless of being fashionable among the many customers. As such, they create an enormous safety threat on one finish, and assault alternative on the opposite.
As a normal rule of thumb, safety researchers advise WordPress customers to maintain their platform, themes, and plugins up to date always. Moreover, they recommend customers solely maintain put in these themes and plugins they actively use and ensure to switch any default safety and privateness settings.
By way of BleepingComputer
The perfect antivirus for all budgets
Our high picks, primarily based on real-world testing and comparisons
Observe TechRadar on Google Information and add us as a most well-liked supply to get our knowledgeable information, opinions, and opinion in your feeds. Ensure that to click on the Observe button!
And naturally you too can comply with TechRadar on TikTok for information, opinions, unboxings in video kind, and get common updates from us on WhatsApp too.
