CVE-2026-34424: Smart Slider 3 Pro RCE
CVE-2026-34424
Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute ...
Overview
CVE-2026-34424 is a critical supply-chain vulnerability affecting Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla. The plugin’s update mechanism was compromised, delivering a malicious update that injected a multi-stage remote access toolkit directly into websites. This allows attackers to take full control of affected sites without any authentication.
Technical Impact
The injected toolkit provides attackers with extensive capabilities. Attackers can trigger remote shell execution simply by sending a crafted HTTP request. The backdoor functionality allows for the execution of arbitrary PHP code and operating system commands, the creation of hidden administrator accounts, and the exfiltration of sensitive data like database credentials and API keys. The malware is designed for persistence, embedding itself in multiple locations such as must-use WordPress plugins and core plugin files, making manual removal difficult.
Affected Versions
- Smart Slider 3 Pro version 3.5.1.35 for WordPress
- Smart Slider 3 Pro version 3.5.1.35 for Joomla All other versions are not affected by this specific supply-chain compromise.
Remediation Steps
Immediate action is required for any site running the affected version.
- Complete Reinstallation: Do not simply update the plugin. You must first completely remove the compromised version (3.5.1.35) from your site. Delete the plugin files via your hosting control panel or FTP.
- Install a Clean Version: Download the latest version of Smart Slider 3 Pro directly from the official Nextend web portal. Do not use any cached copies of the plugin from your site backups, as they may contain the malicious code.
- Security Audit: After reinstallation, conduct a thorough security audit. Check for and remove any unknown administrator users, review server access logs for suspicious activity, and rotate all credentials (database passwords, WordPress salts, API keys). Consider using a security plugin to scan for remaining backdoors.
- Monitor: Closely monitor the site for unusual behavior. For ongoing threat intelligence, you can review recent incidents in our breach reports and security news.
Security Insight
This incident highlights the severe risk posed by compromised software update channels, a threat vector that bypasses traditional perimeter defenses. It mirrors the pattern of the 2021 CodeCov breach, where a tampered CI/CD tool led to widespread infection. The sophistication of the injected toolkit-featuring multiple persistence mechanisms-suggests the compromise was targeted and deliberate, raising serious questions about the security of the vendor’s build and distribution infrastructure.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code ...
A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of...
A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setRadvdCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the ar...
A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setTtyServiceCfg of the file /cgi-bin/cstecgi.cgi of the component C...