Hackers hijacked the update system for the Smart Slider 3 Pro plugin on WordPress and Joomla and pushed a malicious version that installed multiple backdoors, created hidden administrator accounts and stole sensitive data, with affected users told to move to version 3.5.1.36 or earlier clean releases.
KEY FACTS
- Affected version Smart Slider 3 Pro 3.5.1.35 was compromised, according to the vendor.
- Distribution date The malicious update was pushed on April 7.
- Impact The code could create hidden admin users, plant backdoors and steal site data and credentials.
- WordPress reach Smart Slider 3 for WordPress is used on more than 900,000 websites.
A technical analysis from PatchStack said the malware was embedded in the plugin’s main file while keeping normal functionality intact. The report said it allowed remote command execution through crafted HTTP headers, included a second authenticated backdoor with PHP eval and OS command execution, and automated credential theft.
The malicious kit also created persistence layers in several locations. These included a hidden administrator account stored in the database, a must-use plugin placed in a mu-plugins directory, a backdoor in the active theme’s functions.php file and a PHP file in wp-includes that read its key from a .cache_key file.
The vendor’s disclosure said administrators should assume full site compromise if they find the affected version. It recommended deleting malicious users, files and database entries, reinstalling WordPress core, plugins and themes from trusted sources, rotating credentials and regenerating WordPress security keys.
For Joomla installations, the advisory said the malicious code in version 3.5.1.35 may create hidden admin accounts, install additional backdoors in the cache and media directories, and steal site information and credentials. The safest backup restoration date was listed as April 5 to account for time zone differences.
WHY IT MATTERS
Supply chain compromises in widely used plugins can give attackers broad access to affected sites before defenders notice. The incident shows why site owners are urged to treat compromised updates as full breaches and verify all core files, accounts and credentials.