Smart Slider 3 vulnerability, WordPress 7.0 prep, and Joomla fixes

Bad week for Smart Slider 3. A vulnerability disclosed this week lets any registered user on your site - even a basic subscriber - download your wp-config.php and every other file the web server can read. Over 800,000 WordPress sites are affected, and the same vulnerable code ships in the Joomla version too. If you run Smart Slider 3, update to version 3.5.1.34 now.

On the WordPress side, version 7.0 lands April 9 with new minimum requirements: PHP 7.4 and MySQL 8.0. Sites on older versions will not get the auto-update. Good time to check your portfolio.

For Joomla, Firefox 148 broke the TinyMCE editor across every version, and there's a new post on detecting locked scheduled tasks before they cause problems. Plus a guide explaining the difference between snapshots and audits in mySites.guru.

All guides are free to read on the blog

Security

Smart Slider 3 lets any subscriber download your wp-config.php

CVE-2026-3098 is an arbitrary file read vulnerability affecting all Smart Slider 3 versions up to 3.5.1.33. The slider export function lacks proper capability checks, so anyone with a subscriber account can download any file from your server. That includes database credentials, authentication keys, and anything else the web server can read. The Joomla version shares the same vulnerable code. Update to 3.5.1.34, then regenerate your salts and change your database password.

From the blog

Need help with your site? Phil Taylor – Fixing websites since 2004

Found something wrong with your Joomla or WordPress site? If it were simple, you'd have fixed it already. I offer same-day expert help at a flat rate of £120 per incident. No hourly billing surprises.

If I can't add value, you don't pay