Backdoored Smart Slider 3 Pro Update Hits WordPress Supply Chain

April 10, 2026 Faeem BLOGS 0

A major supply chain compromise has struck the popular Smart Slider 3 Pro plugin for WordPress and Joomla, after attackers hijacked Nextend’s update infrastructure to distribute a trojanized build (v3.5.1.35). With over 800,000 active installations across free and Pro editions, this incident highlights the risks of trusted update channels being weaponized.

What Happened

  • Malicious update: Version 3.5.1.35 Pro was pushed via the official update channel on April 7, 2026, remaining live for ~6 hours before detection.
  • Payload capabilities:
    • Pre-authenticated remote code execution via custom HTTP headers (X-Cache-Status, X-Cache-Key).
    • Hidden administrator account creation (e.g., wpsvc_a3f1) concealed from legitimate admins.
    • Multiple persistence mechanisms: must-use plugin (object-cache-helper.php), theme functions.php injection, and class-wp-locale-helper.php in wp-includes.
    • Credential exfiltration to C2 domain wpjs1[.]com.
  • Sophistication: Multi-layered persistence toolkit with redundant re-entry points, credential theft, and automatic C2 registration.

Cleanup Guidance

If your site updated to 3.5.1.35 Pro, immediate remediation is required:

  1. Update to version 3.5.1.36.
  2. Remove rogue admin accounts and persistence files.
  3. Delete malicious WordPress options (_wpc_ak, _wpc_uid, _wpc_uinfo, _perf_toolkit_source, wp_page_for_privacy_policy_cache).
  4. Clean configuration files: remove WP_CACHE_SALT entries from wp-config.php and .htaccess.
  5. Reset credentials: admin, database, FTP/SSH, and hosting accounts.
  6. Audit logs for unauthorized POST requests or changes.
  7. Enable 2FA for admins and disable PHP execution in the uploads folder.

Broader Context

  • Free version unaffected: Only Smart Slider 3 Pro was compromised.
  • Nextend response: Update servers shut down, malicious version removed, full investigation launched.
  • Lesson learned: Traditional defenses (firewalls, RBAC, nonce verification) are irrelevant when the update channel itself is poisoned.

Final Thought

This incident is a textbook supply chain attack: trusted software updates turned into malware delivery. For WordPress site owners, vigilance means not only patching plugins but also monitoring for unexpected admin accounts, persistence files, and hidden options. The plugin itself became the attack vector — a stark reminder that trust in update infrastructure must be continuously verified.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.