Attack Chain

1. The attacker compromises the Smart Slider 3 Pro update server.
2. A malicious update is pushed to vulnerable Smart Slider 3 Pro installations (version 3.5.1.35).
3. The plugin downloads and installs the malicious update, injecting the multi-stage remote access toolkit.
4. The attacker triggers pre-authentication remote shell execution by sending crafted HTTP headers to the web server.
5. An authenticated backdoor is established, allowing the attacker to execute arbitrary PHP code or OS commands.
6. The attacker creates hidden administrator accounts within WordPress or Joomla to maintain persistent access.
7. Credentials and access keys are exfiltrated from the compromised system.
8. Persistence is maintained through multiple injection points, including modifications to must-use plugins and core files.

Impact

Successful exploitation of CVE-2026-34424 leads to complete compromise of the affected web server. Attackers can gain unauthorized access to sensitive data, including user credentials, database information, and proprietary code. Websites can be defaced, injected with malware, or used as part of a botnet. The vulnerability affects all users of Smart Slider 3 Pro version 3.5.1.35, regardless of the underlying operating system. Given the widespread use of WordPress and Joomla, a large number of websites are potentially at risk.

Recommendation

• Immediately remove or update Smart Slider 3 Pro to a patched version newer than 3.5.1.35 to remediate CVE-2026-34424.
• Monitor web server logs for suspicious HTTP requests with unusual headers indicative of attempted pre-authentication shell execution as described in the Attack Chain.
• Implement the provided Sigma rules to detect suspicious process creation and file modifications related to the injected toolkit.
• Audit user accounts for unauthorized administrator accounts as the attacker creates hidden accounts.