Unknown threat actors have compromised the update infrastructure for the Smart Slider 3 Pro plugin used in WordPress and Joomla environments, distributing a modified version of the software containing a backdoor. The incident affects Smart Slider 3 Pro version 3.5.1.35 for WordPress and was identified by WordPress security firm Patchstack. Smart Slider 3 is widely used across content management systems, with more than 800,000 active installations across both its free and Pro editions, making the compromise a significant concern for website administrators relying on the plugin for design and functionality.
According to Patchstack, an unauthorized party gained access to Nextend’s official update infrastructure and used it to distribute a fully attacker controlled build through the legitimate update channel. Sites that updated to version 3.5.1.35 during the window between April 7, 2026, and the time of detection approximately six hours later were affected. During this period, compromised websites unknowingly installed a weaponized remote access toolkit instead of a legitimate update. Nextend confirmed that its update system had been accessed without authorization and that the malicious version was removed shortly after detection. The free version of Smart Slider 3 was not impacted by the incident.
Technical analysis indicates that the trojanized update contains multiple mechanisms designed to establish persistent and covert access to affected systems. The malware enables creation of rogue administrator accounts, including hidden accounts such as wpsvc_a3f1, which are concealed from standard administrative views through manipulation of WordPress filters like pre_user_query and views_users. It also introduces backdoor functionality capable of executing system level commands remotely via HTTP headers such as X Cache Status and X Cache Key, with injected code executed through shell_exec. In addition, the compromised plugin supports execution of arbitrary PHP code through hidden request parameters, allowing attackers to interact with the server in multiple ways depending on the access method used.
Further persistence techniques are embedded within the compromised build to ensure long term access to affected websites. The malware stores authentication and configuration data in WordPress options such as _wpc_ak, _wpc_uid, and _wpc_uinfo, with autoload disabled to reduce visibility in standard database dumps. It also establishes redundant persistence by deploying a must use plugin disguised as object-cache-helper.php, modifying the active theme’s functions.php file, and placing a malicious file named class-wp-locale-helper.php inside the wp-includes directory. These components collectively ensure that access remains even if one persistence mechanism is discovered and removed. The malware additionally exfiltrates sensitive data including site URL, server hostname, plugin version, WordPress version, PHP version, admin email, database name, and administrator credentials to a command and control domain identified as wpjs1[.]com.
Security researchers noted that the malicious update represents a multi layered persistence toolkit rather than a simple web shell, with multiple redundant entry points and concealed execution pathways designed to maintain long term control over compromised systems. Patchstack described the incident as a supply chain compromise that bypasses traditional security controls by delivering malicious code directly through trusted update mechanisms. In response, Nextend shut down its update servers, removed the compromised version, and initiated a full investigation. Users running the affected version have been advised to update to version 3.5.1.36 and perform extensive cleanup, including removal of unknown administrator accounts, deletion of malicious database entries, resetting credentials, and auditing website logs for unauthorized activity. Additional recommendations include enabling two factor authentication, disabling PHP execution in upload directories, and reviewing server level access credentials to prevent further compromise.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
