Remote Code Execution Vulnerability in Smart Slider 3 Pro for Joomla and WordPress
CVE-2026-34424

9.3CRITICAL

Key Information:

Vendor

WordPress
Status
Smart Slider 3 Pro For WordPress
Smart Slider 3 Pro For Joomla
Vendor
CVE Published:
9 April 2026

What is CVE-2026-34424?

Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla is compromised due to a multi-stage remote access toolkit embedded in its update system. This vulnerability permits unauthenticated attackers to execute arbitrary commands remotely by manipulating HTTP headers. Attackers can create backdoors that allow them to run PHP code, generate hidden administrator accounts, and exfiltrate sensitive credentials. Persistent access is maintained through multiple injection points, including essential plugins and modifications to core files, putting users at significant risk of unauthorized access and control over their websites.

Affected Version(s)

Smart Slider 3 Pro for Joomla 3.5.1.35

Smart Slider 3 Pro for WordPress 3.5.1.35

Smart Slider 3 Pro for Joomla 0

References

https://smartslider.helpscoutdocs.com/article/2144-wordpr...
vendor-advisorypatch
https://smartslider.helpscoutdocs.com/article/2143-joomla...
vendor-advisorypatch
https://patchstack.com/database/wordpress/plugin/nextend-...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.