Smart Slider Hijacked: 900K WordPress Sites Get Backdoored

An attacker hijacked the update mechanism for Smart Slider 3 Pro on April 7, pushing a backdoored version to hundreds of thousands of WordPress and Joomla websites. Anyone who clicked "update" received working remote code execution as the web server user.

The malicious version 3.5.1.35 contained a multi-layered persistence toolkit that maintained access even after partial cleanup. Nextend, the plugin's developer, has since released a clean 3.5.1.36 build and is urging immediate action.

What Happened

Unauthorized parties gained access to Nextend's update infrastructure and pushed a compromised build through the official channel. The attack is particularly insidious because the malicious plugin preserved all normal functionality while embedding hidden backdoors.

According to PatchStack's analysis, the malware implemented what they described as a "fully featured, multi-layered toolkit" designed to survive typical cleanup attempts. The WPScan vulnerability database has catalogued this compromise as a critical threat. This supply chain approach mirrors recent npm package attacks where attackers target trusted distribution channels to maximize reach.

Four Layers of Persistence

The backdoor established multiple persistence mechanisms, making complete remediation difficult:

1. Hidden administrator accounts - The malware creates admin users with names starting with wpsvc_ and the email address [email protected]. These accounts are stored in the database and survive plugin removal.

2. Must-use plugins - Malicious code is placed in the /mu-plugins directory, which WordPress automatically loads on every request. These files can't be disabled through the admin panel.

3. Theme injection - The attacker's code is appended to the active theme's functions.php file, ensuring execution even if the plugin is deleted.

4. Core file spoofing - Fake class files are placed in /wp-includes that use cached authentication keys for persistent access.

What the Backdoor Does

The compromised code enabled attackers to:

• Execute arbitrary shell commands and PHP code remotely
• Create additional hidden administrator accounts
• Exfiltrate credentials and database contents
• Maintain persistent access across plugin updates

The remote execution component required no authentication—attackers could trigger it using crafted HTTP headers against any infected site.

Scope of Impact

Smart Slider 3 is installed on over 900,000 WordPress websites according to the WordPress plugin directory. The Pro version, which was specifically targeted in this attack, represents a significant portion of that user base.

Joomla installations running Smart Slider 3 Pro were also affected, following the same compromise pattern. The attack demonstrates how supply chain compromises can affect multiple platforms simultaneously when plugins support cross-CMS deployment. WordPress has been a frequent target this year—we recently covered an ImageMagick vulnerability that also threatened WordPress installations.

This incident follows a pattern of malicious packages targeting developers and end users through trusted update channels—a growing trend in 2026.

How to Check If You're Affected

Sites running version 3.5.1.35 should assume compromise. Indicators include:

• Admin accounts with usernames starting with wpsvc_
• Email addresses containing [email protected] in the users table
• Unfamiliar files in /wp-content/mu-plugins/
• Recent modifications to your theme's functions.php
• Unexpected files in /wp-includes/

Recommended Recovery Steps

Nextend recommends a complete recovery process for affected sites:

1. Restore from backup - Use a backup dated April 5, 2026 or earlier to ensure no malicious code remains. Due to timezone differences in when the attack began, Nextend recommends this conservative date.

2. If restoration isn't possible, perform a full cleanup:

   • Reinstall WordPress core, all plugins, and themes from trusted sources
   • Remove any unknown admin users from the database
   • Delete suspicious files from /mu-plugins/ and /wp-includes/
   • Review and clean theme functions.php files

3. Rotate all credentials - This includes WordPress admin passwords, database credentials, FTP/SSH access, hosting control panel, and any associated email accounts.

4. Enable two-factor authentication on all admin accounts.

5. Regenerate WordPress security keys in wp-config.php.

6. Update to version 3.5.1.36 only after completing the cleanup process.

Why This Matters

Supply chain attacks against WordPress plugins continue to grow in sophistication. Unlike vulnerabilities that require specific conditions to exploit, compromised updates affect every user who trusts the official update mechanism.

The multi-layered persistence in this attack shows that threat actors are learning from previous incidents. A site owner who simply removes the plugin and reinstalls would remain compromised through the theme injection and mu-plugin layers.

For security teams managing WordPress at scale, this incident reinforces the need for update monitoring, file integrity checking, and backup strategies that support rapid rollback.

Nextend has stated they're auditing their infrastructure to prevent similar compromises. They've pulled 3.5.1.35 from distribution and published detailed advisories for both WordPress and Joomla users.