10 min read
Unknown attackers managed to take control of the update system used by the Smart Slider 3 Pro plugin for both WordPress and Joomla. By exploiting this access, they distributed a modified version of the plugin that contained a hidden backdoor, turning a trusted update into a serious security threat.
According to the WordPress security company Patchstack, the affected version is Smart Slider 3 Pro 3.5.1.35. This plugin is widely used, with more than 800,000 active installations across its free and paid versions, making the impact of the incident significant.
How the attack happenedLink to heading
The attackers gained unauthorized access to Nextend’s update infrastructure, which is responsible for delivering official plugin updates. They used this access to publish a fully malicious version of the plugin through the legitimate update channel.
This compromised version was available for approximately six hours, from its release on April 7, 2026, until it was detected and removed. During this short window, any website that updated the plugin unknowingly installed a fully functional remote access toolkit controlled by the attackers.
Nextend later confirmed the breach, shut down the affected update servers, removed the malicious version, and launched a full investigation.
What the malicious update doesLink to heading
The infected version of Smart Slider 3 Pro includes multiple dangerous features designed to give attackers full control over compromised websites.
It can create unauthorized administrator accounts, allowing attackers to maintain long-term access. It also installs backdoors that enable remote execution of system commands through specially crafted HTTP headers, as well as the execution of arbitrary PHP code via hidden request parameters.
One of the key capabilities is pre-authenticated remote code execution. This means attackers can run commands on the server without needing to log in, simply by sending specially designed HTTP requests.
The malware also hides its presence by manipulating WordPress filters, making malicious administrator accounts invisible in the dashboard. At the same time, it stores sensitive configuration data in the database using techniques that reduce visibility during routine checks.
Persistence and stealth techniquesLink to heading
To ensure it cannot be easily removed, the malware installs itself in multiple locations within the website. It creates a must-use plugin disguised as a legitimate caching component, injects code into the active theme’s core files, and adds additional files into the WordPress system directories.
This multi-layered persistence means that even if one malicious component is deleted, others can restore the backdoor, allowing attackers to regain access.
The malware also uses hidden configuration entries in the WordPress database to store important information such as authentication keys and attacker account details, further strengthening its persistence.
Data theft and communicationLink to heading
In addition to maintaining control, the malware collects sensitive information from the infected website and sends it to an external command-and-control server. The stolen data includes the website URL, server details, plugin and system versions, administrator email, database name, and even plaintext login credentials. It also reports all installed backdoor components, giving attackers a full overview of their access.
Scope and responseLink to heading
It is important to note that only the Pro version of the plugin was affected. The free version of Smart Slider 3 remains safe. After discovering the issue, Nextend quickly disabled its update servers, removed the malicious release, and began investigating how the breach occurred.
Recommended actions for affected usersLink to heading
Users who installed version 3.5.1.35 should immediately update to version 3.5.1.36, which is clean and secure. In addition, several cleanup steps are necessary. Website owners should check for and remove any unknown administrator accounts, delete the compromised plugin version, and reinstall a trusted copy.
All malicious files and persistence mechanisms must be removed, including hidden plugins, modified theme files, and suspicious system files. Database entries related to the malware should also be deleted.
It is equally important to review and clean configuration files such as wp-config.php and .htaccess, reset all passwords (including admin, database, FTP, and hosting accounts), and carefully inspect logs for unusual activity.
As an added layer of protection, enabling two-factor authentication and disabling PHP execution in the uploads directory are strongly recommended.
To further strengthen your website after cleanup, consider installing W7SFW. This is a simple yet effective firewall solution that helps block unauthorized access and common attack patterns before they can reach your website.
One of its key advantages is ease of use. Even if you don’t have strong technical skills, you can quickly set it up and start protecting your site without complicated configuration. It provides an extra security layer that works alongside your existing measures, helping reduce the risk of future compromises.
Why this attack is criticalLink to heading
This incident is a clear example of a supply chain attack, where attackers compromise a trusted source to distribute malware. In this case, the official plugin update channel was used as the delivery method.
Because the malicious code came from a legitimate update, traditional security measures such as firewalls and access controls were ineffective. The plugin itself became the attack vector, making this type of threat particularly dangerous and difficult to detect.