RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: update-hijack (1 article)Clear
vulnerability
2026-04-10

Smart Slider 3 Pro update system hijacked - backdoored version pushed to 800,000+ WordPress sites via official channel

Attackers compromised Nextend's update infrastructure and pushed a fully weaponized version of Smart Slider 3 Pro (3.5.1.35) through the official WordPress and Joomla update channel on April 7. Sites with auto-updates enabled received a multi-layered remote access toolkit disguised as a legitimate plugin update. The malicious version was live for approximately six hours before detection. Patchstack's analysis found: unauthenticated remote command execution via crafted HTTP headers, a second authenticated backdoor with PHP eval and OS command execution, a hidden administrator account (prefixed wpsvc_) invisible in the admin interface, persistent backdoors planted in the active theme's functions.php and wp-config.php, and automated credential theft sent to an external server. Traditional defenses like firewalls, nonce verification, and role-based access controls are irrelevant here because the malicious code arrived through the trusted update channel. Affected sites should be considered fully compromised.

wordpressjoomlasmart-slidersupply-chainbackdoorupdate-hijackcredential-theft
Check
Check if any of your WordPress or Joomla sites run Smart Slider 3 Pro. If you updated to version 3.5.1.35 on or after April 7, your site is compromised.
Affected
WordPress and Joomla sites running Smart Slider 3 Pro version 3.5.1.35 that updated between April 7, 2026 and detection ~6 hours later. The free version is not affected. Sites with auto-updates enabled were most at risk.
Fix
If you installed 3.5.1.35: restore from a backup dated April 5 or earlier (to account for time zones). If no backup is available: update to 3.5.1.36, remove the hidden admin user (check for wpsvc_ prefix), clean wp-config.php (remove WP_CACHE_SALT define), clean .htaccess (remove WPCacheSalt line), remove persistence files from theme's functions.php, delete backdoor files in /cache and /media directories, remove malicious wp_options entries (_wpc_ak, _wpc_uid, _wpc_uinfo, _perf_toolkit_source), reset all admin and database passwords, change FTP/SSH and hosting credentials, and enable 2FA for all admin accounts. Sites should be treated as fully compromised - credential theft means passwords are already in attacker hands.