What API development services do you offer?

We offer REST API development, GraphQL APIs, third-party API integration, Laravel API development, and API security implementation. We also provide DevOps services including AWS infrastructure and CI/CD pipelines.

Where are you based and do you work with clients across the UK?

We're based in Leeds, West Yorkshire, but we work with clients across the entire United Kingdom including London, Manchester, Birmingham, and beyond. We work remotely with businesses throughout Britain.

What technologies do you specialise in?

We specialise in Laravel and PHP for backend development, along with RESTful APIs, GraphQL, Node.js, AWS, Docker, Kubernetes, and CloudFlare. We also work with MySQL and PostgreSQL databases.

Do you provide ongoing support after project completion?

Yes, we offer ongoing support and maintenance packages to ensure your APIs and applications continue running smoothly. This includes monitoring, updates, security patches, and performance optimisation.

CVE-2026-3098: Smart Slider 3 Lets Subscribers Read Any File on Your Server

A vulnerability in Smart Slider 3, one of WordPress's most widely installed plugins with over 800,000 active installs, allows any authenticated user - including those with subscriber-level access - to read arbitrary files from the server. The flaw is tracked as CVE-2026-3098 and affects all versions of the plugin through 3.5.1.33. A patch was released on March 24 as version 3.5.1.34, but plugin download statistics suggest that around 500,000 sites are still running a vulnerable version.

What the vulnerability does

The issue is a missing capability check in the plugin's AJAX export actions. Smart Slider 3's actionExportAll function is intended to export slider content, but it performs no validation on file types or file sources. Any authenticated user can invoke it via a standard AJAX request. A nonce is present but provides no protection here - authenticated users can obtain it through normal site interaction.

Because the export function places no restriction on which files it can include, an attacker with a subscriber account can use it to read any file accessible to the web server process. The most immediately dangerous target is wp-config.php, which contains database credentials, authentication keys, and cryptographic salts. With those in hand, an attacker has everything needed to access the database directly and, depending on the hosting environment, escalate to full site compromise.

How to fix it

Update Smart Slider 3 to version 3.5.1.34 or later. The patch was released by Nextendweb on March 24 following responsible disclosure by researcher Dmitrii Ignatyev via Wordfence.

If your site has any kind of user registration or membership - even a basic subscription opt-in - this vulnerability is exploitable by anyone who can create or already holds an account. Sites with no registered users are not exposed via this specific path, but the update is still advisable given the sensitivity of what the flaw exposes.

CVE-2026-3098 is not yet flagged as actively exploited. That status typically changes quickly once a patch is public and the gap between patched and unpatched installs becomes measurable. The practical window to update before exploitation begins is short.

CVE-2026-3098: Smart Slider 3 Lets Subscribers Read Any File on Your Server

What the vulnerability does

How to fix it

Ready to Start Your Project?