Cyber Posture

CVE-2026-34424

Critical

Published: 09 April 2026

Published
09 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0024 47.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute arbitrary code and commands. Attackers can trigger pre-authentication remote shell execution via…

more

HTTP headers, establish authenticated backdoors accepting arbitrary PHP code or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and maintain persistence through multiple injection points including must-use plugins and core file modifications.

Mitigating Controls (NIST 800-53 r5)AI

SR-11 Component Authenticity good match
prevent

Verifies authenticity of supply chain components like compromised plugin updates prior to incorporation, directly countering the injected multi-stage remote access toolkit.

CM-14 Signed Components good match
prevent

Mandates cryptographic signing of software components such as plugins, preventing loading of tampered updates from the compromised Smart Slider 3 Pro supply chain.

SI-3 Malicious Code Protection good match
detectrespond

Deploys malicious code protection at entry points and through periodic scans to detect and eradicate the injected backdoors, shell execution, and persistence mechanisms.

Security SummaryAI

CVE-2026-34424 is a critical supply chain compromise affecting Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla. A multi-stage remote access toolkit was injected through the plugin's compromised update system, enabling unauthenticated attackers to execute arbitrary code and commands. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-506 (Embedded Malicious Code).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. They can trigger pre-authentication remote shell execution via HTTP headers, establish authenticated backdoors that accept arbitrary PHP code or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and achieve persistence through multiple injection points such as must-use plugins and core file modifications.

Vendor security advisories for WordPress and Joomla, along with detailed analyses from Patchstack and other sources, document the compromise and provide guidance on mitigation. Security practitioners should consult these resources, including the Smart Slider Help Scout documentation and Patchstack vulnerability database entries, for specific remediation steps such as plugin removal or updates to address the injected malware.

Details

CWE(s)
CWE-506

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
attack.mitre.org →
T1564.002 Hidden Users Stealth
Adversaries may use hidden users to hide the presence of user accounts they create or modify.
attack.mitre.org →
Why these techniques?

Supply chain compromise via plugin update (T1195.002), unauthenticated RCE on public-facing web app (T1190), backdoors enabling arbitrary code/OS commands as web shells (T1100), creation of hidden admin accounts (T1136.001, T1564.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References