Attackers Hijacked Smart Slider 3 Pro's Update Server to Push a Backdoor to 800,000 WordPress Sites

Introduction

Threat actors compromised the update infrastructure of Nextend, the company behind the popular Smart Slider 3 Pro plugin for WordPress and Joomla, and used it to distribute a fully backdoored version through the official update channel. The poisoned update — version 3.5.1.35 — was live for approximately six hours on April 7 before being detected and pulled. Smart Slider 3 has over 800,000 active installations.

What Happened

Attackers gained access to Nextend's update servers and injected a malicious payload into Smart Slider 3 Pro version 3.5.1.35. Any site that auto-updated or manually updated the Pro version during the six-hour window received a trojanized build through the plugin's legitimate update mechanism — no social engineering or phishing required.

The malware inside the compromised update was a multi-layered remote access toolkit. It could execute arbitrary system commands via crafted HTTP headers and run PHP code through hidden request parameters. To survive cleanup, it planted persistence hooks in three separate locations: a must-use plugin file (object-cache-helper.php), injected code in the active theme's functions.php, and a dropped file (class-wp-locale-helper.php) inside the wp-includes directory.

The backdoor also created hidden administrator accounts with usernames starting with wpsvc_ or wp_maint_, and exfiltrated database names, admin credentials, and server environment details to a command-and-control domain (wpjs1.com). It stored its configuration in WordPress options with autoload disabled, keeping it out of standard database dumps and most audit tools.

The free version of Smart Slider 3 was not affected.

Why It Matters

This is a textbook supply chain compromise: the attacker never needed to trick a single site owner. They poisoned the source, and WordPress's built-in update system did the rest. For the sites that pulled the update during that six-hour window, the infection was silent, automatic, and came from a trusted channel. The multi-layered persistence means that simply removing the plugin does not clean the infection — the backdoor lives in three other places on the filesystem and in the database. Organizations that rely on WordPress for client-facing sites, e-commerce, or content delivery need to take this seriously.

Who Is Affected

  • Any WordPress or Joomla site running Smart Slider 3 Pro version 3.5.1.35
  • Sites with automatic plugin updates enabled that pulled the compromised version between approximately 06:00 and 12:00 UTC on April 7, 2026
  • Managed hosting providers and agencies maintaining multiple WordPress sites with the Pro plugin
  • The free version of Smart Slider 3 is not affected

How to Protect Yourself

1. Check your installed version

# From the server, check the plugin version directly
grep -i "Version:" /var/www/html/wp-content/plugins/nextend-smart-slider3-pro/smartslider3.php

If it shows 3.5.1.35, your site was compromised. Update to 3.5.1.36 or later immediately — but updating alone is not enough.

2. Hunt for persistence artifacts

# Must-use plugin backdoor
ls -la /var/www/html/wp-content/mu-plugins/object-cache-helper.php

# Dropped file in wp-includes
ls -la /var/www/html/wp-includes/class-wp-locale-helper.php

# Check active theme's functions.php for injected code
tail -50 /var/www/html/wp-content/themes/$(wp theme list --status=active --field=name --path=/var/www/html)/functions.php

Delete all three if found.

3. Remove hidden admin accounts and malicious database entries

# List all administrator accounts
wp user list --role=administrator --path=/var/www/html

# Delete suspicious accounts (wpsvc_* or wp_maint_*)
wp user delete wpsvc_backdoor --reassign=1 --path=/var/www/html

# Clean malicious options from the database
wp option delete _wpc_ak --path=/var/www/html
wp option delete _wpc_uid --path=/var/www/html
wp option delete _wpc_uinfo --path=/var/www/html
wp option delete _wpc_msk --path=/var/www/html
wp option delete _perf_toolkit_source --path=/var/www/html

4. Clean wp-config.php and .htaccess

Check wp-config.php for an unauthorized WP_CACHE_SALT constant and remove it. Inspect .htaccess for injected rewrite rules.

5. Rotate every credential

6. If possible, restore from backup

The cleanest recovery is restoring from a backup dated April 5 or earlier, then updating to Smart Slider 3 Pro 3.5.1.36.

Source

Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers — The Hacker News