An unknown attacker has hijacked the update system of the Smart Slider 3 Pro plugin for WordPress and Joomla and pushed a malicious version containing a backdoor.
According to WordPress security firm Patchstack, this incident affects Smart Slider 3 Pro version 3.5.1.35 for WordPress. Smart Slider 3 is a popular WordPress slider plugin with over 800,000 active installations in both free and Pro versions.
“An unauthorized party gained access to Nextend’s update infrastructure and distributed builds created entirely by the attackers through official update channels,” the company said in a statement. “Sites that updated to 3.5.1.35 between release on April 7, 2026 and detection approximately 6 hours later received a fully weaponized remote access toolkit.”
Nextend, which manages the plugin, said someone gained unauthorized access to the company’s update system and pushed a malicious version (3.5.1.35 Pro), which remained accessible for about six hours before it was detected and pulled.
In addition to the ability to create rogue administrator accounts, this Trojanized update includes the ability to remotely execute system commands via HTTP headers and drop a backdoor to execute arbitrary PHP code via hidden request parameters. According to Patchstack, the malware has the following capabilities:
Enable pre-authenticated remote code execution via custom HTTP headers such as X-Cache-Status and X-Cache-Key. The latter contains the code passed to “shell_exec()”. A backdoor that supports dual execution modes. Allows an attacker to execute arbitrary PHP code and operating system commands on the server. Create a hidden administrator account (e.g. ‘wpsvc_a3f1’) for permanent access and tamper with ‘pre_user_query’ and ‘views_users’ filters to make it invisible to legitimate administrators. To reduce visibility in option dumps, we use three custom WordPress options configured with the “autoload” setting disabled: _wpc_ak (secret authentication key), _wpc_uid (hidden admin account user ID), and _wpc_uinfo (Base64-encoded JSON containing plaintext username, password, and email of the fraudulent account). Install persistence in three locations for redundancy. Create a required plugin with the file name “object-cache-helper.php” to make it look like a legitimate cache component, add the backdoor component to the “functions.php” file of the active theme, and drop a file named “class-wp-locale-helper.php” into the WordPress “wp-includes” directory. Extracts data including the site URL, secret backdoor key, hostname, Smart Slider 3 version, WordPress version, PHP version, WordPress admin email address, WordPress database name, plaintext username and password for the admin account, and a list of all installed persistence methods to the command and control (C2) domain “wpjs1”.[.]Com. ”
“The malware operates in several stages, each designed to ensure deep, persistent and redundant access to the compromised site,” Patchstack said.
“The sophistication of the payload is notable: Rather than a simple web shell, the attackers deployed a multi-layered persistence toolkit with several independent and redundant re-entry points, user obfuscation, resilient command execution with fallback chains, and automatic C2 registration with full credential extraction.
Please note that free versions of WordPress plugins are not affected. To contain this issue, Nextend shut down its update servers, removed the malicious version, and began a thorough investigation into the incident.
Users who have the Trojanized version installed are encouraged to update to version 3.5.1.36. Additionally, users who have installed an unauthorized version are advised to perform the following cleanup steps:
Check for and remove suspicious or unknown administrator accounts. Remove Smart Slider 3 Pro version 3.5.1.35 if installed. Reinstall a clean version of the plugin. Remove any persistence files that allow the backdoor to persist on your site. Remove malicious WordPress options from the “wp_options” table: _wpc_ak, _wpc_uid, _wpc_uinfo, _perf_toolkit_source, and wp_page_for_privacy_policy_cache. Clean up the “wp-config.php” file, including removing “define(‘WP_CACHE_SALT’, ”);”. if it exists. Delete the “# WPCacheSalt” line from the “.htaccess” file located in your WordPress root folder. Reset passwords for administrators and WordPress database users. Change FTP/SSH and hosting account credentials. Check your website and logs for unauthorized changes or unusual POST requests. Enable two-factor authentication (2FA) for administrators and disable running PHP in the upload folder.
“This incident is a textbook supply chain breach, the kind where traditional perimeter defenses become irrelevant,” Patchstack said. “None of common firewall rules, nonce validation, role-based access controls, or malicious code delivered through a trusted update channel apply. Plugins are malware.”
Source link
