Numerous websites have been affected following the discovery of a vulnerability in WordPress's Smart Slider 3

The incident came to light in late March 2026, when various cybersecurity-focused media outlets began warning of a critical vulnerability in the Smart Slider 3 plugin, which is widely used in the WordPress ecosystem. The flaw was assigned the identifier CVE-2026-3098, indicating that it had been formally registered in vulnerability databases. From the outset, the magnitude of the problem was highlighted due to the enormous number of active installations of the affected plugin, which raised concerns among the community of web administrators and security specialists.

The problem stems from a vulnerability that allowed users with limited permissions to access sensitive system files, thereby facilitating the theft of credentials and other critical data. It is estimated that more than 500,000 websites may have been compromised, out of a total of more than 800,000 installations of the plugin. Those most affected were website administrators using vulnerable versions of the plugin, especially those who did not have additional security measures in place. Following the disclosure of the flaw, standard response protocols were activated: notification to developers, dissemination through cybersecurity channels, and the expected release of updates to fix the vulnerability, along with mitigation recommendations such as immediate updating and access reviews.

The incident appears to be under control, provided that administrators have applied the necessary updates and checked for any unauthorized access. However, a risk remains for sites that continue to use outdated versions of the plugin, which could make them vulnerable to opportunistic attacks even after the public disclosure.