Unknown attackers have exploited the update mechanism of the Smart Slider 3 Pro plugin for WordPress and Joomla, distributing a compromised version embedded with a backdoor. This incident affects version 3.5.1.35 of Smart Slider 3 Pro for WordPress, as reported by WordPress security firm Patchstack. The plugin boasts over 800,000 active installations in its free and Pro formats.
Details of the Security Breach
Nextend, the company behind the plugin, confirmed that unauthorized individuals infiltrated their update infrastructure, releasing an attacker-modified build via the official update channel. Any website that upgraded to version 3.5.1.35 within six hours of its release on April 7, 2026, was at risk of receiving a fully functional remote access toolkit.
The injected malware allows for the creation of unauthorized admin accounts and the execution of remote system commands via HTTP headers. It also facilitates arbitrary PHP code execution through concealed request parameters.
Technical Capabilities of the Malware
The backdoor provides pre-authenticated remote code execution capabilities using custom HTTP headers, such as X-Cache-Status and X-Cache-Key, the latter passing code to “shell_exec()”. It supports dual execution modes, executing PHP code and operating system commands on the compromised server. Furthermore, it creates hidden admin accounts, making them invisible to legitimate administrators by altering specific WordPress filters.
Persistence is achieved by installing the backdoor in multiple locations, including a must-use plugin disguised as a caching component, and appending malicious code to the active theme’s “functions.php” file. Additionally, it stores data such as the site URL, secret backdoor key, and admin credentials to a command-and-control domain.
Recommendations for Affected Users
Patchstack highlights the sophistication of the malware, emphasizing its multi-layered persistence and resilience. Notably, the free version of the plugin remains unaffected. In response, Nextend has deactivated its update servers, removed the malicious version, and initiated a comprehensive investigation.
Users are advised to update to version 3.5.1.36 immediately and undertake specific cleanup actions. This includes identifying and removing suspicious admin accounts, uninstalling the affected plugin version, and deleting persistence files and malicious WordPress options. It’s also recommended to reset passwords, review site logs for unauthorized changes, and enable two-factor authentication for enhanced security.
Patchstack describes the event as a classic supply chain compromise, illustrating the challenges traditional security measures face when malware is delivered through trusted channels.
