A missing authorization flaw in the Smart Slider 3 WordPress plugin (CVE-2026-3098, CVSS 7.5) allows any Subscriber-level authenticated user to read arbitrary server files, with wp-config.php — containing database credentials and authentication keys — as the primary target. Approximately 500,000 of 800,000+ active installations remain unpatched as of the publication date, presenting a broad attack surface given low exploitation complexity. Organizations should update to version 3.5.1.34 immediately, rotate all wp-config.php credentials and salts post-update, and implement WAF controls on wp-admin/admin-ajax.php to limit exposure on internet-facing WordPress sites pending patching.