CVE-2026-34424
Published: 09 April 2026
Summary
CVE-2026-34424 is a critical-severity Embedded Malicious Code (CWE-506) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked in the top 42.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Verifies authenticity of supply chain components like compromised plugin updates prior to incorporation, directly countering the injected multi-stage remote access toolkit.
Mandates cryptographic signing of software components such as plugins, preventing loading of tampered updates from the compromised Smart Slider 3 Pro supply chain.
Deploys malicious code protection at entry points and through periodic scans to detect and eradicate the injected backdoors, shell execution, and persistence mechanisms.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Supply chain compromise via plugin update (T1195.002), unauthenticated RCE on public-facing web app (T1190), backdoors enabling arbitrary code/OS commands as web shells (T1100), creation of hidden admin accounts (T1136.001, T1564.002).
NVD Description
Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute arbitrary code and commands. Attackers can trigger pre-authentication remote shell execution via…
more
HTTP headers, establish authenticated backdoors accepting arbitrary PHP code or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and maintain persistence through multiple injection points including must-use plugins and core file modifications.
Deeper analysisAI
CVE-2026-34424 is a critical supply chain compromise affecting Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla. A multi-stage remote access toolkit was injected through the plugin's compromised update system, enabling unauthenticated attackers to execute arbitrary code and commands. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-506 (Embedded Malicious Code).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. They can trigger pre-authentication remote shell execution via HTTP headers, establish authenticated backdoors that accept arbitrary PHP code or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and achieve persistence through multiple injection points such as must-use plugins and core file modifications.
Vendor security advisories for WordPress and Joomla, along with detailed analyses from Patchstack and other sources, document the compromise and provide guidance on mitigation. Security practitioners should consult these resources, including the Smart Slider Help Scout documentation and Patchstack vulnerability database entries, for specific remediation steps such as plugin removal or updates to address the injected malware.
Details
- CWE(s)