Smart Slider WordPress CVE Hits 500K Sites, TP-Link & Cisco IOS Patch Critical Flaws, BIND DNS Memory Leak, Hightower 130K Breach, OpenAI Safety Bug Bounty
A critical arbitrary file read vulnerability in the Smart Slider 3 WordPress plugin leaves over 500,000 websites exposed. TP-Link patches authentication bypass and command injection flaws in routers. Cisco releases multi-vulnerability IOS fix covering DoS, secure boot bypass, and privilege escalation. BIND DNS resolvers face memory exhaustion via crafted domains. Hightower Holding discloses breach affecting 130,000 individuals. OpenAI expands its bug bounty to cover AI safety and abuse risks.
🔌 CVE-2026-3098: Smart Slider 3 WordPress Plugin Exposes 500K+ Sites to Arbitrary File Read
⚠️ Critical WordPress Vulnerability — Patch Now
Any authenticated user (including subscribers) can read arbitrary server files — including wp-config.php with database credentials, keys, and salts. Over 500,000 sites are still running vulnerable versions.
Security researcher Dmitrii Ignatyev has disclosed a serious vulnerability in Smart Slider 3, one of WordPress's most popular slider plugins with over 800,000 active installations. Tracked as CVE-2026-3098, the flaw allows any authenticated user — even those with the lowest subscriber role — to read arbitrary files from the web server.
Root Cause
The vulnerability stems from missing capability checks in the plugin's AJAX export actions. The actionExportAll function lacks file type and source validation, meaning that not only image or video files can be exported — .php files can be read as well.
While a nonce is present, it does not prevent abuse because any authenticated user can obtain it. As Wordfence researcher István Márton explained:
"This ultimately makes it possible for authenticated attackers with minimal access, like subscribers, to read any arbitrary file on the server, including the site's wp-config.php file, which contains the database credentials as well as keys and salts for cryptographic security."
Timeline & Patch
- Feb 23: Ignatyev reports to Wordfence with working PoC exploit
- Mar 2: Nextendweb (developer) acknowledges the report
- Mar 24: Patch released in Smart Slider 3 version 3.5.1.34
- Mar 29: Only ~303K downloads in the past week — 500K+ sites still vulnerable
The vulnerability is not yet flagged as actively exploited, but given the low barrier (subscriber-level access) and high value of exposed data (database credentials), exploitation is expected imminently.
Defender Action: Update Smart Slider 3 to version 3.5.1.34 immediately. If you cannot patch right away, disable the plugin. Audit your site for unauthorized subscriber accounts. Rotate database credentials and WordPress salts if you suspect compromise. Review server logs for anomalous export requests.
📡 TP-Link Patches High-Severity Router Vulnerabilities
🔶 Router Security — Consumer & SMB Impact
Multiple high-severity flaws in TP-Link routers allow authentication bypass, arbitrary command execution, and configuration file decryption. Firmware updates are available.
TP-Link has released firmware updates addressing multiple high-severity vulnerabilities across its router product line. The security defects could be chained by attackers to achieve complete router compromise without valid credentials.
Vulnerability Classes
- Authentication Bypass: Attackers can access the router's management interface without valid credentials by exploiting flaws in the authentication handling logic
- Arbitrary Command Execution: Once past authentication, crafted requests can execute operating system commands with root privileges on the router
- Configuration File Decryption: Encrypted configuration backups can be decrypted, exposing Wi-Fi passwords, ISP credentials, VPN keys, and other sensitive settings
These vulnerabilities are particularly dangerous because home and SMB routers are often internet-facing, rarely updated, and provide a strategic foothold for lateral movement into internal networks.
Defender Action: Check your TP-Link router model against the vendor's security advisory and update firmware immediately. Disable remote management if not needed. Change default admin credentials. Consider network segmentation to limit router compromise blast radius.
🌐 Cisco Patches Multiple IOS Software Vulnerabilities
Cisco has released a batch of security patches for its IOS and IOS XE software addressing multiple high- and medium-severity vulnerabilities. The flaws collectively cover a wide range of attack surfaces in enterprise networking equipment.
| Impact | Severity | Description |
|---|---|---|
| Denial of Service | High | Crafted packets can crash routing processes, causing network outages |
| Secure Boot Bypass | High | Attackers can bypass secure boot protections, enabling persistent firmware-level implants |
| Information Disclosure | Medium | Sensitive configuration data and internal state information leakage |
| Privilege Escalation | Medium | Authenticated users can elevate privileges beyond their authorization level |
The secure boot bypass is particularly concerning — it enables attackers who gain initial access to install persistent backdoors that survive device reboots and even firmware upgrades in some scenarios.
Defender Action: Review the Cisco IOS security advisory bundle and schedule immediate patching for internet-facing and critical infrastructure devices. Prioritize the secure boot bypass and DoS vulnerabilities. Verify device integrity using Cisco's Trustworthy Technologies verification tools.
🔎 BIND DNS Resolvers Vulnerable to Memory Exhaustion Attacks
⚠️ DNS Infrastructure — Memory Leak Risk
Specially crafted domain queries can trigger out-of-memory conditions in BIND resolvers, leading to progressive memory leaks and eventual denial of service.
ISC has published updates for BIND 9, the most widely deployed DNS server software, patching high-severity vulnerabilities that allow remote attackers to cause memory exhaustion in DNS resolvers through specially crafted domain queries.
How It Works
The vulnerabilities exploit edge cases in BIND's domain name resolution logic. When a resolver processes certain crafted domain names, it allocates memory that is never properly freed. An attacker can send a steady stream of such queries to progressively consume all available memory on the resolver, eventually causing:
- Service degradation — slow DNS resolution affecting all clients
- Out-of-memory crashes — complete DNS service failure
- Cascading failures — if redundant resolvers are targeted simultaneously
Given that BIND powers a significant portion of the internet's DNS infrastructure, these vulnerabilities have a wide blast radius. Enterprise, ISP, and government DNS resolvers are all potentially affected.
Defender Action: Update BIND to the latest patched version immediately. Monitor resolver memory usage for anomalous growth patterns. Implement rate limiting on DNS queries from individual sources. Consider deploying BIND alongside alternative resolvers for redundancy.
💼 Hightower Holding Data Breach Impacts 130,000 Individuals
Hightower Holding, a major U.S.-based wealth management firm, has disclosed a data breach affecting approximately 130,000 individuals. The company confirmed that hackers gained unauthorized access to its environment and exfiltrated sensitive personal information.
Compromised Data
- Full names of clients and associated individuals
- Social Security numbers (SSNs)
- Driver's license numbers
This combination of PII is particularly dangerous for identity theft and financial fraud. With SSNs and driver's license numbers, attackers can open fraudulent credit accounts, file false tax returns, and conduct sophisticated social engineering attacks against the victims.
Hightower is a registered investment advisor managing over $130 billion in assets, making this breach particularly significant for the financial services sector. The company is offering credit monitoring services to affected individuals.
Affected Individuals: If you're a Hightower client, freeze your credit with all three bureaus (Equifax, Experian, TransUnion). Monitor financial accounts for unauthorized activity. Be vigilant for phishing attempts using your leaked personal data. Consider an IRS Identity Protection PIN.
🤖 OpenAI Launches Bug Bounty Program for AI Abuse & Safety Risks
In a notable expansion of its security program, OpenAI has launched a new bug bounty track specifically targeting AI abuse and safety risks. Unlike traditional bug bounties that focus on code-level vulnerabilities, this program rewards researchers for discovering design or implementation issues that lead to material harm.
What's In Scope
- Safety bypasses — techniques that circumvent content policy enforcement or safety guardrails
- Abuse vectors — methods to use OpenAI systems for disinformation, manipulation, or other harmful purposes at scale
- Design-level flaws — architectural issues that could lead to unintended harmful behaviors
- Model manipulation — attacks that cause models to behave in ways that violate safety policies
This represents a significant shift in how AI companies approach security. By creating financial incentives for red-teaming AI safety, OpenAI is acknowledging that traditional vulnerability disclosure models need to evolve alongside AI capabilities.
For Researchers: The program covers design and implementation issues leading to material harm. Reports should include clear reproduction steps and evidence of impact. This is separate from OpenAI's existing security bug bounty on HackerOne.
📊 Threat Landscape Summary
| Threat | Category | Severity | Action Required |
|---|---|---|---|
| Smart Slider CVE-2026-3098 | WordPress Vuln | Medium* | Update to 3.5.1.34 |
| TP-Link Router Flaws | Network Vuln | High | Update firmware |
| Cisco IOS Multi-Vuln | Network Vuln | High | Apply IOS patches |
| BIND DNS Memory Leak | DNS Vuln | High | Update BIND |
| Hightower Breach (130K) | Data Breach | High | Credit freeze / monitor |
| OpenAI Safety Bounty | Industry | Info | Awareness |
*Smart Slider CVE rated medium due to authentication requirement, but real-world risk is high on sites with open registration.
🔑 Key Takeaways
- WordPress remains the web's largest attack surface. Smart Slider's CVE-2026-3098 is a reminder that plugins with millions of installs can have trivial-to-exploit flaws. Subscriber-level access should never grant file system reads.
- Network infrastructure patching is non-negotiable. TP-Link routers, Cisco IOS, and BIND DNS all received critical patches this week. Each represents a different layer of network infrastructure — if any one falls, the entire stack is at risk.
- Financial sector breaches continue to escalate. Hightower's 130K-record breach underscores that wealth management firms are high-value targets. The combination of SSNs and driver's licenses gives attackers everything needed for identity fraud.
- AI safety is becoming a formal security discipline. OpenAI's dedicated abuse and safety bounty program signals that AI red-teaming is moving from ad hoc research to structured, incentivized practice.