Smart Slider 3 Pro Vulnerability (CVE-2026-34424)

Security Alert Summary

Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla was subject to a supply-chain compromise that injected a multi-stage remote access toolkit via the plugin update system. The injected code can allow unauthenticated attackers to execute arbitrary code and commands, install persistent backdoors and hidden administrator accounts, and exfiltrate credentials and access keys.

CVE Details

• CVE ID: CVE-2026-34424
• Affected component: Smart Slider 3 Pro for WordPress and Joomla
• Affected versions: 3.5.1.35
• Published: April 9, 2026 11:17 PM UTC
• Last modified: April 9, 2026 11:17 PM UTC
• CVSS v3.1 base score: 9.8
• CVSS v3.1 severity: CRITICAL
• CVSS v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• Authentication requirements: None (unauthenticated)
• Privileges required: None
• User interaction: None
• Primary impact: Confidentiality: High; Integrity: High; Availability: High
• CWE / weakness: CWE-506

Technical Details

The vulnerability is the result of a supply-chain compromise that injected a remote access toolkit into Smart Slider 3 Pro via a compromised update mechanism. The injected code enables pre-authentication remote shell execution triggered via HTTP headers, and it establishes authenticated backdoors that accept arbitrary PHP code or operating system commands.

The compromise also includes the ability to create hidden administrator accounts, exfiltrate credentials and access keys, and maintain persistence through multiple injection points such as must-use plugins and modifications to core files. These behaviors enable attackers to retain long-term access and execute code on affected sites.

How This Could Impact Your Website

In a realistic scenario, a site owner may continue routine content updates while internal staff and an external contractor each use their normal accounts. If the plugin on that site is the compromised version, an unauthenticated attacker could execute commands or install backdoors without interacting with those users. That could lead to exposure of internal user email addresses or other stored credentials, and increase the risk of targeted phishing or social engineering against staff and contractors.

Because the compromise can create hidden administrator accounts and maintain persistence, cleanup can be complex and may require thorough review of user accounts, installed plugins, and modified files. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributor and editor accounts.
• Enforce strong passwords and enable two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins and verify plugin sources before installing.
• Monitor site activity and logs for unusual behavior, especially unexpected administrator accounts or file changes.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://mysites.guru/blog/smart-slider-3-pro-supply-chain-compromise/
• https://patchstack.com/articles/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis/
• https://patchstack.com/database/wordpress/plugin/nextend-smart-slider3-pro/vulnerability/wordpress-smart-slider-3-plugin-3-5-1-35-backdoor-vulnerability
• https://smartslider.helpscoutdocs.com/article/2143-joomla-security-advisory-smart-slider-3-pro-3-5-1-35-compromise
• https://smartslider.helpscoutdocs.com/article/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35-compromise