發生了什麼（簡短）

A vulnerability in Smart Slider 3 (versions up to and including 3.5.1.33) allows an authenticated attacker with Subscriber-level access to trigger an export API/action that reads files from the server filesystem and returns them to the attacker. Subscriber-level accounts are common on many sites, making this flaw capable of exposing wp-config.php, database backups and other private files.

The vendor released a security patch in version 3.5.1.34. Apply the update immediately. If you cannot update right away, follow the mitigations below.

為什麼這對您的網站很重要

• Subscriber accounts are easy to create or compromise; exploitation does not require admin credentials.
• Reading wp-config.php enables database credential theft and potential full site takeover.
• Backups, configuration files, API keys, or other sensitive material accessible to the PHP process can be exfiltrated.
• This type of issue is commonly scanned and mass-exploited by automated campaigns — treat as urgent across fleets.

Technical details and attack mechanics

根本原因（高層次）

• The plugin exposes an AJAX/export endpoint that accepts parameters controlling files to include in an export or which files to return.
• Insufficient input validation or access control permits subscriber accounts to specify arbitrary paths (relative or absolute).
• The server reads and returns files without proper path validation or authorization checks.

Attack vector

1. Attacker authenticates (or uses an existing subscriber account).
2. Sends a request to the plugin’s action endpoint (commonly via admin-ajax.php with parameter action=exportAll).
3. Supplies a parameter containing a file path or traversal sequence such as ../../wp-config.php or an absolute path.
4. The vulnerable code reads the file and returns contents (or includes it in a downloadable archive), leaking sensitive data.

影響

• Disclosure of wp-config.php (DB credentials, salts), .htaccess, backups, configuration files and any file readable by PHP.
• Credential theft leading to database compromise, backdoors, ransomware, and data exfiltration.

誰受到影響

Any site running Smart Slider 3 ≤ 3.5.1.33 that has at least one Subscriber account or allows registration — or where an attacker can acquire a subscriber account.

Patched version

Upgrade to Smart Slider 3 version 3.5.1.34 or later.

Proof-of-concept (high-level, safe description)

To avoid providing a fully weaponisable exploit, the following describes the request flow at a high level:

• Target: https://example.com/wp-admin/admin-ajax.php
• Method: POST (or GET depending on endpoint)
• Key parameter: action=exportAll
• Payload: a parameter controlling file selection that can include traversal sequences like ../

Log indicators to search for:

• 請求到 admin-ajax.php 包含 action=exportAll
• Authenticated requests where the user role is Subscriber
• 包含的參數 ../, 9. 或使用使會話失效的插件。在可行的情況下強制執行雙因素身份驗證。, .env, .sql, .zip or absolute paths

Immediate mitigations (if you cannot update right now)

Priority order:

1. 更新插件 to 3.5.1.34 or later — this is the definitive fix.
2. If updating immediately is impossible, apply temporary mitigations below.

A. Deactivate the plugin

Deactivating Smart Slider 3 prevents the vulnerable code from executing. Expect front-end slider disruption.

B. Restrict access to the vulnerable AJAX action (WP mu-plugin example)

Deploy the following as a temporary mu-plugin (place in wp-content/mu-plugins/) — test in staging first:

<?php
// Temporary mitigation: block exportAll AJAX action for non-admins
add_action('admin_init', function() {
    if ( isset($_REQUEST['action']) && $_REQUEST['action'] === 'exportAll' ) {
        if ( ! current_user_can( 'manage_options' ) ) {
            error_log( sprintf(
                "Blocked exportAll attempt for user ID %s from IP %s",
                get_current_user_id(),
                $_SERVER['REMOTE_ADDR'] ?? 'unknown'
            ) );
            wp_die( 'Forbidden', 'Forbidden', array( 'response' => 403 ) );
        }
    }
});

C. Webserver-based blocking

Block requests targeting admin-ajax.php 與 action=exportAll at the webserver or edge WAF.

D. Lock down admin-ajax.php access

If feasible, restrict access to admin-ajax.php to authenticated, trusted origins or IPs for single-admin sites.

E. Disable user registration temporarily

Reducing available subscriber accounts lowers exposure while you patch.

F. Review and rotate secrets

If you suspect exposure, rotate DB credentials, salts, API keys and any secrets stored in files that might have been read.

WAF rules and signatures (examples)

These templates are conceptual — adapt and test before deployment.

1) Generic pattern (concept)

Block requests when:

• Request path contains /wp-admin/admin-ajax.php
• Request contains parameter action=exportAll
• OR request includes suspicious file parameters with ../ 或引用 9. 或使用使會話失效的插件。在可行的情況下強制執行雙因素身份驗證。, .env, .sql, .zip

2) Example ModSecurity rule (conceptual)

SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
  "phase:1,chain,deny,log,msg:'Block exportAll arbitrary file read attempts'"
  SecRule ARGS:action "@rx ^exportAll$" "t:none,chain"
  SecRule ARGS_NAMES|ARGS|REQUEST_BODY "@rx (\.\./|\bwp-config\.php\b|\.env\b|\.sql\b|\.zip\b)" "t:none"

3) Example Nginx snippet

if ($request_uri ~* "/wp-admin/admin-ajax.php") {
  set $block 0;
  if ($arg_action = "exportAll") { set $block 1; }
  if ($block = 1) {
    return 403;
  }
}

4) Fail2Ban (log-based)

Create a log filter to detect repeated attempts to admin-ajax.php with action=exportAll and ban offending IPs after a threshold.

注意： Test all rules carefully to avoid blocking legitimate site functionality.

偵測：如何尋找利用跡象。

Search access logs and application logs for the following indicators:

• 請求到 admin-ajax.php 與 action=exportAll
• Requests containing traversal sequences (../, ..%2f) or filenames (9. 或使用使會話失效的插件。在可行的情況下強制執行雙因素身份驗證。, .env, .sql, .zip)
• Authenticated sessions where Subscriber accounts performed unexpected download/export actions
• Large file downloads or responses with content-types text/plain, application/octet-stream, ，或 application/x-zip-compressed
• Subsequent unusual database connections or new admin creation after suspicious reads

Example grep searches:

# Find admin-ajax exportAll attempts
grep "admin-ajax.php" /var/log/nginx/access.log | grep "action=exportAll"

# Detect requests asking for wp-config.php
grep -i "wp-config.php" /var/log/nginx/access.log

Check WordPress activity/audit logs (if available) for subscriber accounts invoking export or file access actions.

事件響應檢查清單（逐步）

1. Patching: Update Smart Slider 3 to 3.5.1.34 or higher immediately.
2. 包含： If you cannot patch right away, deactivate the plugin and/or deploy blocking rules (see above).
3. 限制訪問： Disable registration, reset credentials for privileged accounts, and rotate database credentials if exposure is suspected.
4. 調查： Review logs for admin-ajax requests with export indicators. Identify the user account used and check for compromise.
5. 清理： Restore changed files from clean backups and remove unknown scheduled tasks or cron jobs.
6. 強化： Apply least privilege practices, review plugins for other vulnerabilities, and strengthen access controls.
7. 監控： Increase logging, enable file integrity monitoring and continue to watch for repeated exploit attempts.
8. 通知： Follow applicable breach-notification requirements if personal data may have been exposed.

Long-term hardening and detection

• Principle of Least Privilege: Re-evaluate user roles and capabilities. Limit Subscriber rights to necessary actions.
• Nonce and capability checks: Ensure plugin endpoints require valid nonces and capability checks before returning file content.
• File permissions: Keep backups and sensitive files outside webroot and set strict filesystem permissions.
• Limit PHP read scope: Configure PHP-FPM/webserver to limit accessible directories where practical.
• Audit plugins regularly and apply timely updates.
• Implement file integrity monitoring and scheduled scans for suspicious files and changes.

尋求專業協助

If you require assistance with log analysis, emergency patching, or incident response, engage a reputable security incident response provider or an experienced WordPress systems administrator. For Hong Kong organisations, consider providers with local incident response capabilities and familiarity with regional regulations and notification requirements.

When engaging help, provide:

• Access logs and webserver logs covering the suspected time window
• List of installed plugins and their versions
• Evidence of suspicious downloads or changed files
• Any user accounts suspected to be involved

附錄 — 有用的命令和參考

Quick mu-plugin to block the vulnerable action

<?php
/**
 * Temporary mitigation: block exportAll AJAX action for non-admins
 */
add_action('admin_init', function() {
    if ( isset($_REQUEST['action']) && $_REQUEST['action'] === 'exportAll' ) {
        if ( ! current_user_can( 'manage_options' ) ) {
            error_log( sprintf(
                "Blocked exportAll attempt for user ID %s from IP %s",
                get_current_user_id(),
                $_SERVER['REMOTE_ADDR'] ?? 'unknown'
            ) );
            wp_die( 'Forbidden', 'Forbidden', array( 'response' => 403 ) );
        }
    }
});

Audit script examples (grep)

# Search for lines where wp-config.php or .env were requested or mentioned
grep -i "wp-config.php\|.env" /var/log/nginx/access.log /var/log/apache2/access.log

# Search for admin-ajax.php export attempts
grep "admin-ajax.php" /var/log/nginx/access.log | grep "action=exportAll"

Database password rotation (brief steps)

1. Create a new database user with a strong password.
2. 更新 9. 或使用使會話失效的插件。在可行的情況下強制執行雙因素身份驗證。 with the new credentials.
3. Test site functionality.
4. Remove the old database user once the new credentials are confirmed working.

Indicators of Compromise (IoCs) and log searches

• admin-ajax.php?action=exportAll
• 14. orderby= ../wp-config.php, .env, .sql, .zip, 備份, dump
• IPs making repeated requests to admin-ajax.php in short time windows
• New admin users or file changes shortly after suspicious access events

If you find evidence of file download (for example, wp-config contents), assume credentials were exposed and rotate them immediately.

參考文獻

• CVE-2026-3098