Smart Slider WordPress Flaw Exposes 500K+ Sites, Coruna iOS Exploit Kit Revives Operation Triangulation, OpenAI Launches AI Abuse Bug Bounty, TP-Link Patches Critical Router Vulns
A medium-severity vulnerability in the Smart Slider 3 WordPress plugin allows subscriber-level users to read arbitrary server files including wp-config.php — with over 500,000 sites still unpatched. Security researchers identify the Coruna iOS exploit kit as a likely updated successor to the notorious Operation Triangulation. OpenAI opens a new bug bounty track focused on AI abuse and safety risks. TP-Link patches high-severity vulnerabilities across multiple router models. Hightower Holding confirms a data breach affecting 130,000 individuals.
🔴 Smart Slider 3 WordPress Plugin Flaw Lets Subscribers Read Any Server File
A vulnerability in Smart Slider 3, one of the most popular WordPress plugins with over 800,000 active installations, allows any authenticated user — even those with mere subscriber-level access — to read arbitrary files on the server. The flaw is tracked as CVE-2026-3098.
Technical Details
The vulnerability stems from missing capability checks in the plugin's AJAX export actions. The actionExportAll function lacks both file type and source validation, allowing any authenticated user to invoke it and include arbitrary server files — including wp-config.php — in the export archive.
- Affected versions: All versions through 3.5.1.33
- Fixed in: Version 3.5.1.34 (released March 24, 2026)
- Attack requirement: Any authenticated user (subscriber-level or above)
- Impact: Arbitrary file read — database credentials, cryptographic keys, salts
- Discovered by: Dmitrii Ignatyev, validated by Wordfence/Defiant
While the vulnerability requires authentication, this only limits impact to websites that offer user registration or subscription features — which is extremely common on modern WordPress sites with membership systems, WooCommerce shops, or community forums.
⚠️ 500,000+ Sites Still Vulnerable
WordPress.org download stats show the plugin was downloaded roughly 303,000 times in the past week, meaning at least 500,000 sites are still running vulnerable versions. Update to Smart Slider 3 version 3.5.1.34 immediately. After updating, rotate database credentials and WordPress salts as a precaution if you allow user registrations.
Why This Matters Beyond the Score
The CVE received a medium severity score due to the authentication requirement, but defenders should not be complacent. In practice:
- Attackers routinely create subscriber accounts on sites that allow registration
- Leaked
wp-config.phpprovides full database access, enabling complete site takeover - Cryptographic keys and salts can be used to forge authentication cookies
- The vulnerability is trivial to exploit with the published proof-of-concept
Defender Action: Update Smart Slider 3 to 3.5.1.34+. Audit user accounts for suspicious subscriber registrations. Consider disabling user registration if not business-critical. Rotate all secrets in wp-config.php. Monitor for unusual file export activity in server logs.
📱 Coruna iOS Exploit Kit Identified as Likely Successor to Operation Triangulation
Security researchers have identified a sophisticated iOS exploit kit dubbed Coruna that contains an updated version of a kernel exploit previously used in Operation Triangulation — the high-profile espionage campaign discovered by Kaspersky in 2023 that targeted iOS devices via zero-click iMessage exploits.
Operation Triangulation Background
Operation Triangulation was one of the most advanced iOS attack chains ever documented:
- Zero-click delivery: Exploitation via iMessage without any user interaction
- Four zero-days chained: Including exploits for WebKit, kernel, and a previously unknown hardware feature
- Targets: Kaspersky researchers, diplomats, and government officials
- Attribution: Widely attributed to a Western intelligence service
What Makes Coruna Significant
The Coruna kit represents a continuation and evolution of the same exploit development program. Researchers found that the kernel exploit component has been updated to work against newer iOS versions, with refinements to bypass mitigations introduced by Apple in response to the original Operation Triangulation disclosures.
The discovery raises critical questions about the longevity of state-sponsored exploit programs and whether the fixes Apple deployed in 2023-2024 fully neutralized the underlying attack surface. The existence of Coruna suggests the exploit developers had deeper knowledge of the targeted hardware and software than the patches addressed.
🔸 Advanced Persistent Threat
Organizations in government, diplomacy, defense, and critical infrastructure should ensure all iOS devices are running the latest iOS version. Enable Lockdown Mode on devices used by high-value personnel. The persistence of Operation Triangulation-class exploits underscores why mobile device management and aggressive patching remain essential — even against threats you thought were resolved.
🤖 OpenAI Launches Bug Bounty Program for AI Abuse and Safety Risks
OpenAI has expanded its security research program with a new bug bounty track specifically targeting abuse and safety risks in its AI models and products. Through this new program, OpenAI will reward reports covering design or implementation issues that lead to material harm.
What's In Scope
Unlike traditional bug bounty programs that focus on infrastructure vulnerabilities like XSS or SQLi, this new track covers:
- Model safety bypasses: Techniques that reliably circumvent safety filters to produce harmful outputs
- Abuse vectors: Methods enabling systematic misuse of AI systems at scale
- Design flaws: Architectural issues in how AI models handle sensitive contexts
- Implementation gaps: Bugs in safety-critical code paths that could lead to harmful outcomes
Industry Significance
This represents a meaningful shift in how AI companies approach safety — treating abuse and misuse as security vulnerabilities worthy of bounty rewards. It acknowledges that jailbreaks, prompt injection attacks, and safety bypasses have real-world consequences and deserve the same structured response as traditional vulnerabilities.
For Security Researchers: OpenAI's expanded program creates new opportunities for AI red-teaming. Researchers with expertise in adversarial machine learning, prompt engineering, and AI safety can now receive financial rewards for identifying weaknesses. This could accelerate the discovery and mitigation of safety gaps across the AI industry if competitors follow suit.
🔧 TP-Link Patches High-Severity Vulnerabilities Across Router Product Line
TP-Link has released security updates addressing multiple high-severity vulnerabilities across its router product line. The security defects could be exploited to:
- Bypass authentication — gaining access without valid credentials
- Execute arbitrary commands — achieving full device control
- Decrypt configuration files — exposing stored credentials, Wi-Fi passwords, and network configurations
Why Router Vulnerabilities Are Critical
TP-Link routers are among the most widely deployed consumer and small business networking devices globally. Compromised routers serve as:
- Network pivot points: Attackers use them as entry into internal networks
- Botnet nodes: Vulnerable routers are frequently enrolled in DDoS botnets
- Traffic interception points: MitM attacks on all devices behind the router
- Persistent footholds: Router compromises often survive endpoint remediation
This comes amid heightened regulatory scrutiny of TP-Link products. The FCC has been evaluating potential restrictions on certain Chinese-manufactured networking equipment, and unpatched vulnerabilities in widely-deployed routers feed directly into those national security concerns.
⚠️ Update Your Routers
Defender Action: Check TP-Link's security advisory for affected models and firmware versions. Update router firmware immediately. Change default admin credentials if not already done. Disable remote management unless explicitly required. Review whether WAN-facing management interfaces are exposed.
💾 Hightower Holding Data Breach Impacts 130,000 Individuals
Hightower Holding, a wealth management and financial advisory firm, has disclosed a data breach affecting approximately 130,000 individuals. The company confirmed that hackers stole sensitive personal information from its environment, including:
- Full names
- Social Security numbers
- Driver's license numbers
The combination of SSNs and driver's license numbers represents a high-value dataset for identity theft. Affected individuals face elevated risk of fraudulent account openings, tax fraud, and synthetic identity creation.
Financial Sector Under Pressure
Wealth management firms hold particularly sensitive data — not just personal identifiers but financial account details, investment portfolios, and net worth information. The Hightower breach adds to a growing list of financial sector incidents that highlight the need for:
- Stronger data segmentation and encryption at rest
- Enhanced monitoring of data exfiltration attempts
- Incident response plans that account for regulatory notification requirements (SEC, state AGs)
If You're Affected: Monitor your credit reports across all three bureaus. Consider placing a credit freeze — especially if notified that your SSN was compromised. Watch for phishing attempts that reference Hightower or wealth management services, as threat actors often use stolen data to craft targeted social engineering.
📊 Threat Landscape Summary
| Threat | Category | Severity | Target |
|---|---|---|---|
| Smart Slider 3 CVE-2026-3098 | Web Application / Plugin | Medium-High | 500K+ WordPress sites |
| Coruna iOS Exploit Kit | Nation-State / Espionage | Critical | High-value iOS users |
| OpenAI Abuse Bug Bounty | AI Safety / Industry | Informational | AI ecosystem |
| TP-Link Router Vulnerabilities | Network Infrastructure | High | Consumer / SMB networks |
| Hightower Holding Breach | Data Breach | High | 130,000 individuals |
🔑 Key Takeaways
- WordPress plugin supply chain risk persists. Smart Slider 3's arbitrary file read shows that even "medium severity" vulnerabilities can lead to complete site takeover when they expose wp-config.php. Patch immediately and rotate secrets.
- State-sponsored exploit programs don't die — they evolve. Coruna's connection to Operation Triangulation demonstrates that patching a zero-day doesn't eliminate the underlying research program. Assume adversaries have the next variant ready.
- AI safety is becoming a security discipline. OpenAI treating abuse vectors as bounty-worthy vulnerabilities is a significant maturation signal. Expect other AI companies to follow with similar programs.
- Router security remains a systemic weakness. TP-Link's patches are welcome, but the real problem is that most consumer routers never get updated. Organizations should enforce firmware update policies for all network edge devices.
- Financial sector breaches carry outsized identity theft risk. When wealth management firms lose SSNs and license numbers, the downstream fraud potential is significant. Credit freezes should be the default response.