Smart Slider 3 Pro Supply Chain Attack: Pre-Auth RCE and Backdoor Analysis

Smart Slider 3 Pro Supply Chain Vulnerability Summary Vulnerability Overview This is a severe supply chain attack targeting the Smart Slider 3 Pro plugin. Attackers compromised the update infrastructure of the developer, Nextend, and injected malicious code into the officially released Smart Slider 3 Pro version 3.5.1.35. The malicious code is designed as a multi-stage attack: 1. Unauthenticated Remote Command Execution (RCE): Triggered via specific HTTP headers ( and ), allowing attackers to execute system commands without authentication. 2. Authenticated Backdoor: Activated via specific GET parameters ( ) and POST parameters ( ), supporting PHP code execution ( ) and system command execution ( , etc.). 3. Persistence: Creates a hidden "WordPress Service" administrator account, maintaining access even if the plugin is uninstalled. Impact Scope Affected Product: Smart Slider 3 Pro (WordPress slider plugin). Affected Version: 3.5.1.35 (released on April 7, 2026). Unaffected Versions: The free version in the WordPress.org plugin repository is not affected. Risk Level: Critical. Any website that updated to version 3.5.1.35 between April 7, 2026, and the time the version was detected and pulled (approximately 6 hours later) is considered fully compromised. Remediation Plan 1. Upgrade: Ensure that the running version of Smart Slider 3 Pro is at least 3.5.1.36. 2. Cleanup: If version 3.5.1.35 was installed, the site should be treated as fully compromised regardless of whether anomalies were detected, and a thorough cleanup must be performed immediately. 3. Inspection: Check for the existence of hidden administrator accounts starting with the prefix . Malicious Code (POC/Exploit) 1. Pre-authentication Remote Command Execution (HTTP Headers) 2. Authenticated Backdoor 3. Hidden Administrator Account Creation (Persistence)

Goal Reached Thanks to every supporter — we hit 100%!

Smart Slider 3 Pro Supply Chain Attack: Pre-Auth RCE and Backdoor Analysis