{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34424", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-27T15:24:06.752Z", "datePublished": "2026-04-09T22:59:38.306Z", "dateUpdated": "2026-04-09T22:59:38.306Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-09T22:59:38.306Z"}, "title": "Smart Slider 3 Pro 3.5.1.35 Supply Chain Attack Remote Access Toolkit", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-506", "description": "CWE-506 Embedded Malicious Code", "type": "CWE"}]}], "affected": [{"vendor": "Nextendweb", "product": "Smart Slider 3 Pro for WordPress", "versions": [{"status": "affected", "version": "3.5.1.35", "versionType": "semver"}, {"status": "unaffected", "version": "0", "lessThanOrEqual": "3.5.1.34", "versionType": "semver"}, {"status": "unaffected", "version": "3.5.1.36", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Nextendweb", "product": "Smart Slider 3 Pro for Joomla", "versions": [{"status": "affected", "version": "3.5.1.35", "versionType": "semver"}, {"status": "unaffected", "version": "0", "lessThanOrEqual": "3.5.1.34", "versionType": "semver"}, {"status": "unaffected", "version": "3.5.1.36", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute arbitrary code and commands. Attackers can trigger pre-authentication remote shell execution via HTTP headers, establish authenticated backdoors accepting arbitrary PHP code or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and maintain persistence through multiple injection points including must-use plugins and core file modifications.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute arbitrary code and commands. Attackers can trigger pre-authentication remote shell execution via HTTP headers, establish authenticated backdoors accepting arbitrary PHP code or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and maintain persistence through multiple injection points including must-use plugins and core file modifications.<br>"}]}], "tags": ["x_known-exploited-vulnerability"], "references": [{"url": "https://smartslider.helpscoutdocs.com/article/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35-compromise", "tags": ["vendor-advisory", "patch"]}, {"url": "https://smartslider.helpscoutdocs.com/article/2143-joomla-security-advisory-smart-slider-3-pro-3-5-1-35-compromise", "tags": ["vendor-advisory", "patch"]}, {"url": "https://patchstack.com/database/wordpress/plugin/nextend-smart-slider3-pro/vulnerability/wordpress-smart-slider-3-plugin-3-5-1-35-backdoor-vulnerability", "tags": ["third-party-advisory"]}, {"url": "https://patchstack.com/articles/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis/", "tags": ["technical-description"]}, {"url": "https://mysites.guru/blog/smart-slider-3-pro-supply-chain-compromise/", "tags": ["technical-description"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "vulncheck"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextendweb:smart_slider_3:3.5.1.35:*:*:*:*:wordpress:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextendweb:smart_slider_3:3.5.1.35:*:*:*:*:joomla:*:*"}]}]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute arbitrary code and commands. Attackers can trigger pre-authentication remote shell execution via HTTP headers, establish authenticated backdoors accepting arbitrary PHP code or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and maintain persistence through multiple injection points including must-use plugins and core file modifications."}], "id": "CVE-2026-34424", "lastModified": "2026-04-09T23:17:00.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-09T23:17:00.540", "references": [{"source": "disclosure@vulncheck.com", "url": "https://mysites.guru/blog/smart-slider-3-pro-supply-chain-compromise/"}, {"source": "disclosure@vulncheck.com", "url": "https://patchstack.com/articles/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis/"}, {"source": "disclosure@vulncheck.com", "url": "https://patchstack.com/database/wordpress/plugin/nextend-smart-slider3-pro/vulnerability/wordpress-smart-slider-3-plugin-3-5-1-35-backdoor-vulnerability"}, {"source": "disclosure@vulncheck.com", "url": "https://smartslider.helpscoutdocs.com/article/2143-joomla-security-advisory-smart-slider-3-pro-3-5-1-35-compromise"}, {"source": "disclosure@vulncheck.com", "url": "https://smartslider.helpscoutdocs.com/article/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35-compromise"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-506"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["wordpress"], "status": "affected", "versions": {"scheme": "semver", "value": "3.5.1.35"}}, {"platform": ["wordpress"], "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,3.5.1.34]"}}, {"platform": ["wordpress"], "status": "unaffected", "versions": {"scheme": "semver", "value": "[3.5.1.36,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Smart Slider 3 Pro for WordPress", "source": "cna", "vendor": "Nextendweb"}, "product": "smart_slider_3", "vendor": "nextendweb"}, {"configurations": [{"platform": ["joomla"], "status": "affected", "versions": {"scheme": "semver", "value": "3.5.1.35"}}, {"platform": ["joomla"], "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,3.5.1.34]"}}, {"platform": ["joomla"], "status": "unaffected", "versions": {"scheme": "semver", "value": "[3.5.1.36,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Smart Slider 3 Pro for Joomla", "source": "cna", "vendor": "Nextendweb"}, "product": "smart_slider_3", "vendor": "nextendweb"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-10T00:23:12.429771+00:00", "value": {"mitigation_remediation": ["Check Nextendweb\u2019s vendor website or the plugin\u2019s support channels for an official patch or a newer, untainted release of Smart Slider 3 Pro.", "If a patch is not yet available, uninstall or delete the Smart Slider 3 Pro plugin from all affected WordPress and Joomla installations to immediately remove the compromised code.", "Reinstall the plugin from a clean, verified source once a safe update is released, ensuring that the new copy is not tampered with.", "Scan the entire site for injected files, especially must\u2011use plugins and modified core files, and remove or replace any that appear to be malicious.", "Audit all user accounts for unexpected administrator accounts, reset credentials, and revoke any privileges that are no longer needed.", "Perform a full security audit, including file integrity checks and monitoring of logs, and look for signs of ongoing persistence or abuse of the backdoor."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Nextendweb\u2019s Smart Slider 3 Pro plugin for Joomla and for WordPress, specifically version 3.5.1.35. No other versions or products are listed as impacted.", "description_and_impact": "Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi\u2011stage remote access toolkit injected through a compromised update system. The compromise allows unauthenticated attackers to trigger pre\u2011authentication remote shell execution via crafted HTTP headers, establish authenticated backdoors that accept arbitrary PHP or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and maintain persistence through multiple injection points including must\u2011use plugins and core file modifications. These capabilities provide attackers with full control over the compromised sites, compromising confidentiality, integrity, and availability of the affected systems.", "risk_and_exploitability": "The CVSS score of 9.3 indicates a critical severity. Exploitability data from the exploit prediction service is unavailable, and the vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely exploitation path involves sending a specially crafted HTTP request that includes malicious headers to the vulnerable site, which then executes arbitrary code; at the same time the attacker can add administrative accounts and alter core files for persistence. The absence of a requirement for prior authentication greatly increases the risk to unprotected sites. "}}}}, "created": "2026-04-10T08:36:32.148753+00:00", "updated": "2026-04-10T09:27:31.642361+00:00", "vendors": ["nextendweb", "nextendweb$PRODUCT$smart_slider_3", "wordpress", "wordpress$PRODUCT$wordpress"]}