A critical arbitrary file read vulnerability in the Smart Slider 3 WordPress plugin leaves over 500,000 websites exposed. TP-Link patches authentication bypass and command injection flaws in routers. Cisco releases multi-vulnerability IOS fix covering DoS, secure boot bypass, and privilege escalation. BIND DNS resolvers face memory exhaustion via crafted domains. Hightower Holding discloses breach affecting 130,000 individuals. OpenAI expands its bug bounty to cover AI safety and abuse risks.
Any authenticated user (including subscribers) can read arbitrary server files โ including wp-config.php with database credentials, keys, and salts. Over 500,000 sites are still running vulnerable versions.
Security researcher Dmitrii Ignatyev has disclosed a serious vulnerability in Smart Slider 3, one of WordPress's most popular slider plugins with over 800,000 active installations. Tracked as CVE-2026-3098, the flaw allows any authenticated user โ even those with the lowest subscriber role โ to read arbitrary files from the web server.
The vulnerability stems from missing capability checks in the plugin's AJAX export actions. The actionExportAll function lacks file type and source validation, meaning that not only image or video files can be exported โ .php files can be read as well.
While a nonce is present, it does not prevent abuse because any authenticated user can obtain it. As Wordfence researcher Istvรกn Mรกrton explained:
"This ultimately makes it possible for authenticated attackers with minimal access, like subscribers, to read any arbitrary file on the server, including the site's wp-config.php file, which contains the database credentials as well as keys and salts for cryptographic security."
The vulnerability is not yet flagged as actively exploited, but given the low barrier (subscriber-level access) and high value of exposed data (database credentials), exploitation is expected imminently.
Defender Action: Update Smart Slider 3 to version 3.5.1.34 immediately. If you cannot patch right away, disable the plugin. Audit your site for unauthorized subscriber accounts. Rotate database credentials and WordPress salts if you suspect compromise. Review server logs for anomalous export requests.
Multiple high-severity flaws in TP-Link routers allow authentication bypass, arbitrary command execution, and configuration file decryption. Firmware updates are available.
TP-Link has released firmware updates addressing multiple high-severity vulnerabilities across its router product line. The security defects could be chained by attackers to achieve complete router compromise without valid credentials.
These vulnerabilities are particularly dangerous because home and SMB routers are often internet-facing, rarely updated, and provide a strategic foothold for lateral movement into internal networks.
Defender Action: Check your TP-Link router model against the vendor's security advisory and update firmware immediately. Disable remote management if not needed. Change default admin credentials. Consider network segmentation to limit router compromise blast radius.
Cisco has released a batch of security patches for its IOS and IOS XE software addressing multiple high- and medium-severity vulnerabilities. The flaws collectively cover a wide range of attack surfaces in enterprise networking equipment.
| Impact | Severity | Description |
|---|---|---|
| Denial of Service | High | Crafted packets can crash routing processes, causing network outages |
| Secure Boot Bypass | High | Attackers can bypass secure boot protections, enabling persistent firmware-level implants |
| Information Disclosure | Medium | Sensitive configuration data and internal state information leakage |
| Privilege Escalation | Medium | Authenticated users can elevate privileges beyond their authorization level |
The secure boot bypass is particularly concerning โ it enables attackers who gain initial access to install persistent backdoors that survive device reboots and even firmware upgrades in some scenarios.
Defender Action: Review the Cisco IOS security advisory bundle and schedule immediate patching for internet-facing and critical infrastructure devices. Prioritize the secure boot bypass and DoS vulnerabilities. Verify device integrity using Cisco's Trustworthy Technologies verification tools.
Specially crafted domain queries can trigger out-of-memory conditions in BIND resolvers, leading to progressive memory leaks and eventual denial of service.
ISC has published updates for BIND 9, the most widely deployed DNS server software, patching high-severity vulnerabilities that allow remote attackers to cause memory exhaustion in DNS resolvers through specially crafted domain queries.
The vulnerabilities exploit edge cases in BIND's domain name resolution logic. When a resolver processes certain crafted domain names, it allocates memory that is never properly freed. An attacker can send a steady stream of such queries to progressively consume all available memory on the resolver, eventually causing:
Given that BIND powers a significant portion of the internet's DNS infrastructure, these vulnerabilities have a wide blast radius. Enterprise, ISP, and government DNS resolvers are all potentially affected.
Defender Action: Update BIND to the latest patched version immediately. Monitor resolver memory usage for anomalous growth patterns. Implement rate limiting on DNS queries from individual sources. Consider deploying BIND alongside alternative resolvers for redundancy.
Hightower Holding, a major U.S.-based wealth management firm, has disclosed a data breach affecting approximately 130,000 individuals. The company confirmed that hackers gained unauthorized access to its environment and exfiltrated sensitive personal information.
This combination of PII is particularly dangerous for identity theft and financial fraud. With SSNs and driver's license numbers, attackers can open fraudulent credit accounts, file false tax returns, and conduct sophisticated social engineering attacks against the victims.
Hightower is a registered investment advisor managing over $130 billion in assets, making this breach particularly significant for the financial services sector. The company is offering credit monitoring services to affected individuals.
Affected Individuals: If you're a Hightower client, freeze your credit with all three bureaus (Equifax, Experian, TransUnion). Monitor financial accounts for unauthorized activity. Be vigilant for phishing attempts using your leaked personal data. Consider an IRS Identity Protection PIN.
In a notable expansion of its security program, OpenAI has launched a new bug bounty track specifically targeting AI abuse and safety risks. Unlike traditional bug bounties that focus on code-level vulnerabilities, this program rewards researchers for discovering design or implementation issues that lead to material harm.
This represents a significant shift in how AI companies approach security. By creating financial incentives for red-teaming AI safety, OpenAI is acknowledging that traditional vulnerability disclosure models need to evolve alongside AI capabilities.
For Researchers: The program covers design and implementation issues leading to material harm. Reports should include clear reproduction steps and evidence of impact. This is separate from OpenAI's existing security bug bounty on HackerOne.
| Threat | Category | Severity | Action Required |
|---|---|---|---|
| Smart Slider CVE-2026-3098 | WordPress Vuln | Medium* | Update to 3.5.1.34 |
| TP-Link Router Flaws | Network Vuln | High | Update firmware |
| Cisco IOS Multi-Vuln | Network Vuln | High | Apply IOS patches |
| BIND DNS Memory Leak | DNS Vuln | High | Update BIND |
| Hightower Breach (130K) | Data Breach | High | Credit freeze / monitor |
| OpenAI Safety Bounty | Industry | Info | Awareness |
*Smart Slider CVE rated medium due to authentication requirement, but real-world risk is high on sites with open registration.
KENSAI continuously monitors your WordPress plugins, network devices, and DNS infrastructure for known vulnerabilities โ alerting you before attackers strike.
Start Your Free Scan โPublished by the KENSAI Threat Intelligence Team
March 29, 2026 โ Evening Edition
Sources: Wordfence, BleepingComputer, SecurityWeek, ISC, Cisco, TP-Link, OpenAI