Backdoored Smart Slider 3 Pro Update Compromises Over 800,000 WordPress Sites

A significant cybersecurity breach has emerged, revealing that unknown threat actors have compromised the update system for the Smart Slider 3 Pro plugin, affecting both WordPress and Joomla platforms. This incident has raised alarms within the cybersecurity community, particularly given the plugin’s widespread use, with over 800,000 active installations across its free and Pro versions.

Details of the Compromise

The incident centers around Smart Slider 3 Pro version 3.5.1.35, which was released on April 7, 2026. According to Patchstack, a WordPress security firm, an unauthorized party gained access to Nextend’s update infrastructure, distributing a malicious version of the plugin through the official update channel. This compromised version was available for approximately six hours before detection.

Patchstack stated, “Any site that updated to 3.5.1.35 between its release and its detection received a fully weaponized remote access toolkit.” The implications of this breach are severe, as it allows attackers to execute arbitrary commands and maintain persistent access to compromised sites.

Technical Capabilities of the Malware

The trojanized update possesses several alarming capabilities:

• Remote Code Execution: The malware can achieve pre-authenticated remote code execution through custom HTTP headers, allowing attackers to run arbitrary PHP code and system commands.
• Creation of Rogue Administrator Accounts: The malware can create hidden administrator accounts that remain undetectable to legitimate users, ensuring persistent access.
• Data Exfiltration: The backdoor can exfiltrate sensitive information, including site URLs, WordPress versions, and administrator credentials, to a command-and-control domain.
• Multi-layered Persistence: The malware installs itself in multiple locations within the WordPress environment, ensuring redundancy and resilience against removal attempts.

Patchstack noted, “The sophistication of the payload is notable: rather than a simple webshell, the attacker deployed a multi-layered persistence toolkit with several independent, redundant re-entry points.”

Response from Nextend

Nextend, the company responsible for maintaining the Smart Slider 3 plugin, confirmed the breach and took immediate action. They shut down their update servers, removed the malicious version, and initiated a full investigation into the incident. Importantly, the free version of the plugin remains unaffected by this compromise.

Nextend stated, “An unauthorized party gained access to our update system and pushed a malicious version that remained accessible for approximately six hours before it was detected and pulled.”

Recommended Actions for Affected Users

Users who installed the compromised version are strongly advised to update to version 3.5.1.36. Additionally, they should follow specific cleanup steps to mitigate any potential damage:

• Check for and remove any suspicious or unknown admin accounts.
• Uninstall Smart Slider 3 Pro version 3.5.1.35.
• Reinstall a clean version of the plugin.
• Delete persistence files that may allow the backdoor to remain active.
• Remove malicious options from the “wp_options” table.
• Reset administrator and database user passwords.
• Enable two-factor authentication for added security.

Broader Implications of the Incident

This incident serves as a stark reminder of the vulnerabilities inherent in supply chain security. As Patchstack pointed out, “This incident is a textbook supply chain compromise, the kind that renders traditional perimeter defenses irrelevant.” The attack highlights the risks associated with relying on trusted update channels, where malicious code can be delivered without raising alarms.

The implications extend beyond individual site security, affecting the broader WordPress ecosystem. With a vast number of sites relying on third-party plugins, the potential for similar attacks remains a pressing concern. Cybersecurity professionals must remain vigilant and proactive in securing their environments against such threats.

For further details on the incident and cleanup steps, users can refer to the official advisory provided by Smart Slider.

Source: thehackernews.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.