Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute arbitrary code and commands. Attackers can trigger pre-authentication remote shell execution via HTTP headers, establish authenticated backdoors accepting arbitrary PHP code or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and maintain persistence through multiple injection points including must-use plugins and core file modifications.
AnalysisAI
Supply chain compromise in Smart Slider 3 Pro 3.5.1.35 for WordPress and Joomla delivers multi-stage remote access toolkit via compromised update mechanism. Unauthenticated attackers achieve pre-authentication remote code execution through malicious HTTP headers, deploy authenticated backdoors accepting arbitrary PHP/OS commands, create hidden administrator accounts, exfiltrate credentials and API keys, and establish persistence via must-use plugins and core file modifications. Vendor confirmed malicious build distributed through official update channel. No public exploit identified at time of analysis.
Technical ContextAI
CWE-506 embedded malware injected through compromised build pipeline. Attack chain exploits HTTP header processing for initial unauthenticated RCE, then deploys secondary persistence mechanisms including must-use plugin installations and WordPress/Joomla core file tampering. Multiple backdoor entry points enable both web shell and command injection post-compromise.
RemediationAI
IMMEDIATE ACTION REQUIRED: Vendor confirms version 3.5.1.35 is malicious. WordPress users must upgrade to Smart Slider 3 Pro 3.5.1.36 or later immediately. Joomla users must upgrade to version 3.5.1.36 or later. Organizations running 3.5.1.35 must assume full compromise: rotate all credentials stored in affected environments, audit administrator accounts for unauthorized additions, scan for web shells and must-use plugins in wp-content/mu-plugins, verify core file integrity, review access logs for HTTP header anomalies, and conduct forensic analysis of potentially exfiltrated data. Do NOT simply upgrade in-place-perform clean reinstallation from verified source after compromise assessment. Vendor advisories: https://smartslider.helpscoutdocs.com/article/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35-compromise and https://smartslider.helpscoutdocs.com/article/2143-joomla-security-advisory-smart-slider-3-pro-3-5-1-35-compromise. Analysis: https://patchstack.com/articles/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis/
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-506 – Embedded Malicious Code
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21225
GHSA-37pc-8f3j-hpmr