A serious software supply chain attack has been uncovered involving the popular WordPress plugin Smart Slider 3, where attackers compromised the update infrastructure to distribute a malicious version containing a hidden backdoor.
According to security researchers at Patchstack, the affected release is Smart Slider 3 Pro version 3.5.1.35. The plugin, widely used across more than 800,000 websites, became a delivery channel for malware through its official update system.
Compromise of Update Infrastructure
The plugin developer Nextend confirmed that unauthorized access to its update servers allowed attackers to push a tampered version of the software.
The malicious update was available for approximately six hours on April 7, 2026, before being identified and removed. During this window, any website that updated the plugin received a fully weaponized backdoor package.
Malicious Capabilities of the Backdoored Plugin
The injected code provided attackers with extensive control over compromised websites. Key capabilities include:
- Creation of hidden administrator accounts for persistent access
- Execution of remote system commands via specially crafted HTTP headers
- Ability to run arbitrary PHP code through concealed request parameters
The malware also introduced advanced persistence techniques, ensuring continued access even after partial cleanup.
Advanced Backdoor Functionality
The malicious version supports multiple execution methods, allowing attackers to:
- Run operating system commands remotely
- Execute server-side scripts dynamically
- Maintain stealth by hiding malicious accounts from administrators
A secret authentication mechanism was embedded within custom WordPress settings, making detection more difficult.
Multi-Layered Persistence Mechanisms
To ensure long-term control, the attackers deployed several redundant persistence methods:
- Installation of a disguised must-use plugin resembling a caching component
- Injection of malicious code into the active theme’s functions file
- Placement of additional backdoor files within core WordPress directories
These layers make removal challenging and allow attackers to regain access even after initial remediation efforts.
Data Exfiltration and Command-and-Control
The compromised plugin also transmitted sensitive information to an attacker-controlled domain. Exfiltrated data included:
- Website URL and hosting details
- WordPress and PHP versions
- Administrator credentials in plaintext
- Database information and configuration details
This data enabled attackers to maintain control and potentially launch further attacks.
Response and Mitigation Measures
Following the discovery, Nextend shut down its update servers, removed the malicious version, and initiated a full investigation.
Users who installed version 3.5.1.35 are strongly advised to upgrade immediately to a clean version (3.5.1.36 or later).
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
