Supply Chain Attack Targets Smart Slider 3 Pro
Threat actors have successfully compromised the update delivery infrastructure for Smart Slider 3 Pro, a premium slider plugin used across WordPress and Joomla installations, and leveraged that access to push a weaponized update to end users. The vendor confirmed that only version 3.5.1.35 of the Pro edition is affected. Users are being directed to upgrade to the latest release, 3.5.1.36, or to roll back to 3.5.1.34 or any earlier version.
Smart Slider 3 for WordPress is installed on more than 900,000 websites where it is used for responsive, live-edited slider creation, offering a broad library of layouts and design templates. The scale of that install base makes the supply chain compromise particularly concerning for site administrators.
Timeline and Initial Discovery
According to the vendor, the malicious update was distributed on April 7, 2026, and an unknown number of sites may have automatically installed it. The Smart Slider team recommends using April 5, 2026 as the target restoration date for any backup rollback, specifically to account for time zone differences that could otherwise leave a narrow window of contamination uncovered.
Security firm PatchStack, which specializes in securing WordPress and open-source software, published a technical analysis confirming that the tampered release contains a fully featured, multi-layered malware toolkit. Critically, the malicious code was embedded inside the plugin's main file while leaving Smart Slider's normal slider functionality intact — a deliberate design choice intended to delay detection.
What the Malicious Update Actually Does
Unauthenticated Remote Code Execution
PatchStack researchers found that the embedded toolkit enables a remote attacker to execute arbitrary commands without any authentication by sending specially crafted HTTP headers. This alone represents a critical-severity capability, allowing complete server compromise from a single unauthenticated request.
Authenticated Backdoor with PHP Eval and OS Commands
A second backdoor requires authentication but provides both PHP eval execution and direct operating system command execution, giving an attacker full control over the server environment once initial access is established. This layer also includes automated credential theft functionality.
Hidden Administrator Account Creation
The malware automatically creates a hidden user account with full administrator permissions and stores the associated credentials in the WordPress database. On Joomla installations, these rogue accounts are typically created with the prefix wpsvc_. Because the account is concealed, it does not appear under normal user-management views, making manual discovery difficult.
Must-Use Plugin Persistence
To survive plugin deactivation, the toolkit creates a mu-plugins directory and drops a must-use plugin inside it, disguising the file as a legitimate caching component. Must-use plugins load automatically on every WordPress page request, cannot be deactivated through the WordPress dashboard, and are hidden from the standard plugins list — making this one of the stealthiest persistence mechanisms available within the WordPress architecture.
Theme Functions File Injection
A backdoor is also planted inside the active theme's functions.php file. This ensures the malicious code continues executing for as long as the compromised theme remains active, surviving even a full plugin removal.
Core Directory File Drop
Perhaps the most resilient persistence layer involves injecting a PHP file into the wp-includes directory under a filename designed to mimic a legitimate WordPress core class. As PatchStack researchers explain:
"Unlike the other persistence layers, this backdoor does not depend on the WordPress database, but reads its authentication key from a .cache_key file stored in the same directory."
The practical consequence is that rotating database credentials does not neutralize this backdoor — it continues to function even if WordPress fails to bootstrap fully.
Joomla-Specific Behavior
For Joomla sites, the vendor's disclosure notes that the malicious code in version 3.5.1.35 may create hidden administrator accounts, install additional backdoors inside the /cache and /media directories, and exfiltrate site information along with stored credentials.
Vendor Disclosure and Recommended Response
The Smart Slider team issued a formal security disclosure stating: "A security breach affected the update system responsible for distributing Smart Slider 3 Pro for WordPress." For sites where a clean backup is unavailable, the recommended first step is to remove the compromised plugin entirely and install the clean release, version 3.5.1.36.
Administrators who identify the compromised version 3.5.1.35 on their servers should treat the event as a full site compromise and take the following remediation steps:
- Delete all malicious users, files, and database entries introduced by the attack
- Reinstall WordPress or Joomla core, all plugins, and all themes from verified, trusted sources
- Rotate every set of credentials: WordPress admin passwords, database passwords, FTP/SSH keys, hosting panel credentials, and email account passwords
- Regenerate WordPress security keys and salts
- Perform a thorough malware scan and review all available server and application logs
Manual Cleanup and Hardening Guidance
The vendor has also published a multi-step manual cleanup guide covering both WordPress and Joomla platforms. The process begins with placing the site in maintenance mode and taking a full backup before making any changes. Administrators should then identify and remove unauthorized administrator accounts, strip out all malicious files and code injections, and reinstall all core components, plugins, and themes from scratch.
After cleanup, all passwords must be reset and a secondary malware scan should be run to confirm no remnants remain. As final hardening measures, the vendor recommends:
- Enabling two-factor authentication (2FA) for all administrator accounts
- Updating all components to their latest available versions
- Restricting administrative access by IP or role where possible
- Enforcing strong, unique passwords across all accounts
Given that the malicious update was live for at least part of April 7, 2026, any WordPress or Joomla site running Smart Slider 3 Pro should treat an immediate audit as mandatory, regardless of whether suspicious activity has been directly observed.
Source: BleepingComputer