Skip to content
Threat Feed
critical advisory

Smart Slider 3 Pro Compromised Update Leads to Remote Code Execution

Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system allowing unauthenticated remote code execution and system takeover.

Smart Slider 3 Pro version 3.5.1.35, a popular WordPress and Joomla plugin, is vulnerable to remote code execution due to a compromised update system. This vulnerability, tracked as CVE-2026-34424, allows unauthenticated attackers to inject a multi-stage remote access toolkit. The attackers leverage this toolkit to execute arbitrary code and commands, effectively taking control of the affected web server. This vulnerability poses a significant threat to websites using the vulnerable plugin, potentially leading to data theft, website defacement, or use of the server for malicious purposes. Defenders should prioritize patching or removing the affected plugin version immediately.

Attack Chain

  1. The attacker compromises the Smart Slider 3 Pro update server.
  2. A malicious update is pushed to vulnerable Smart Slider 3 Pro installations (version 3.5.1.35).
  3. The plugin downloads and installs the malicious update, injecting the multi-stage remote access toolkit.
  4. The attacker triggers pre-authentication remote shell execution by sending crafted HTTP headers to the web server.
  5. An authenticated backdoor is established, allowing the attacker to execute arbitrary PHP code or OS commands.
  6. The attacker creates hidden administrator accounts within WordPress or Joomla to maintain persistent access.
  7. Credentials and access keys are exfiltrated from the compromised system.
  8. Persistence is maintained through multiple injection points, including modifications to must-use plugins and core files.

Impact

Successful exploitation of CVE-2026-34424 leads to complete compromise of the affected web server. Attackers can gain unauthorized access to sensitive data, including user credentials, database information, and proprietary code. Websites can be defaced, injected with malware, or used as part of a botnet. The vulnerability affects all users of Smart Slider 3 Pro version 3.5.1.35, regardless of the underlying operating system. Given the widespread use of WordPress and Joomla, a large number of websites are potentially at risk.

Recommendation

  • Immediately remove or update Smart Slider 3 Pro to a patched version newer than 3.5.1.35 to remediate CVE-2026-34424.
  • Monitor web server logs for suspicious HTTP requests with unusual headers indicative of attempted pre-authentication shell execution as described in the Attack Chain.
  • Implement the provided Sigma rules to detect suspicious process creation and file modifications related to the injected toolkit.
  • Audit user accounts for unauthorized administrator accounts as the attacker creates hidden accounts.

Detection coverage 3

Detect Smart Slider 3 Pro HTTP Header RCE Attempt

critical

Detects attempts to exploit CVE-2026-34424 by sending malicious HTTP headers to trigger pre-authentication remote shell execution.

sigma tactics: initial_access techniques: T1071.001, T1190 sources: webserver, linux

Detect Smart Slider 3 Pro Suspicious File Modification

high

Detects modification of core files or plugin files associated with Smart Slider 3 Pro, indicating a potential compromise.

sigma tactics: persistence techniques: T1547.001 sources: file_event, linux

Detect Smart Slider 3 Pro Admin Account Creation

high

Detects creation of new administrator accounts potentially through the compromised plugin.

sigma tactics: privilege_escalation techniques: T1098 sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →