ByteOS Network

CVE Vulnerability Details :

CVE-2026-34424

PUBLISHED

More Info Official Page

Assigner-VulnCheck

Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10

Published At-09 Apr, 2026 | 22:59

Updated At-14 May, 2026 | 16:05

▼CVE Numbering Authority (CNA)

Smart Slider 3 Pro 3.5.1.35 Supply Chain Attack Remote Access Toolkit

Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute arbitrary code and commands. Attackers can trigger pre-authentication remote shell execution via HTTP headers, establish authenticated backdoors accepting arbitrary PHP code or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and maintain persistence through multiple injection points including must-use plugins and core file modifications.

Affected Products

Vendor

Nextendweb

Product

Smart Slider 3 Pro for WordPress

Default Status

unaffected

Versions

Affected

3.5.1.35 (custom)

Unaffected

From 0 through 3.5.1.34 (custom)
3.5.1.36 (custom)

Vendor

Nextendweb

Product

Smart Slider 3 Pro for Joomla

Default Status

unaffected

Versions

Affected

3.5.1.35 (custom)

Unaffected

From 0 through 3.5.1.34 (custom)
3.5.1.36 (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-506	Embedded Malicious Code

Type: CWE

CWE ID: CWE-506

Description: Embedded Malicious Code

Metrics

Version	Base score	Base severity	Vector
4.0	9.3	CRITICAL	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Version: 4.0

Base score: 9.3

Base severity: CRITICAL

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Version: 3.1

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Hyperlink	Resource
https://smartslider.helpscoutdocs.com/article/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35-compromise	vendor-advisory patch
https://smartslider.helpscoutdocs.com/article/2143-joomla-security-advisory-smart-slider-3-pro-3-5-1-35-compromise	vendor-advisory patch
https://patchstack.com/database/wordpress/plugin/nextend-smart-slider3-pro/vulnerability/wordpress-smart-slider-3-plugin-3-5-1-35-backdoor-vulnerability	third-party-advisory
https://patchstack.com/articles/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis/	technical-description
https://mysites.guru/blog/smart-slider-3-pro-supply-chain-compromise/	technical-description

Hyperlink: https://smartslider.helpscoutdocs.com/article/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35-compromise

Resource:

vendor-advisory

patch

Hyperlink: https://smartslider.helpscoutdocs.com/article/2143-joomla-security-advisory-smart-slider-3-pro-3-5-1-35-compromise

Resource:

vendor-advisory

patch

Hyperlink: https://patchstack.com/database/wordpress/plugin/nextend-smart-slider3-pro/vulnerability/wordpress-smart-slider-3-plugin-3-5-1-35-backdoor-vulnerability

Resource:

third-party-advisory

Hyperlink: https://patchstack.com/articles/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis/

Resource:

technical-description

Hyperlink: https://mysites.guru/blog/smart-slider-3-pro-supply-chain-compromise/

Resource:

technical-description

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Affected Products

Affected

Unaffected

Affected

Unaffected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References