SB20260409111 - Backdoor in Nextend Smart Slider 3 Pro plugin for WordPress

Description

This security bulletin contains information about 1 vulnerability.

1) Embedded malicious code (backdoor) (CVE-ID: N/A)

CWE-ID: CWE-506 - Embedded Malicious Code

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) that allows a remote attacker to gain unauthorized access to the application.

Note, an unauthorized party gained access to Nextend update infrastructure on April 7 and distributed a fully attacker-authored build through the official update channel. Only version 3.5.1.35 contained the backdoor code.

Remediation

Install update from vendor's website.

References

• https://patchstack.com/articles/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis/
• https://patchstack.com/database/wordpress/plugin/nextend-smart-slider3-pro/vulnerability/wordpress-smart-slider-3-plugin-3-5-1-35-backdoor-vulnerability