{"id":557,"date":"2026-04-10T07:47:04","date_gmt":"2026-04-10T07:47:04","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=557"},"modified":"2026-04-10T07:47:04","modified_gmt":"2026-04-10T07:47:04","slug":"backdoored-smart-slider-3-pro-update-distributed-via-compromised-nextend-servers","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=557","title":{"rendered":"Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 10, 2026<\/span><\/span><span class=\"p-tags\">Malware \/ Website Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhPUQqw4JQlrmSih69TSpC28TmE2G1rOMs1k_jrdeQbXFFNV6nPvlVQh9oMIwtOLiVJVUxYZFZ0RDiXmLDOPXpF-pbaStwjml7hxE-OITfsVlk2wA-nKUOpcn9R7FjQe03OInZdN2p8GmkFXAvYBbDeU_IDX1wuQ4iqc46lM6SraDPXhbEcCt-LNL0YTck\/s1700-e365\/slider.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Unknown threat actors have hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla to push a poisoned version containing a\u00a0backdoor.<\/p>\n<p>The\u00a0incident impacts Smart Slider 3 Pro version 3.5.1.35\u00a0for WordPress, per WordPress security company Patchstack. Smart\u00a0Slider 3 is a popular WordPress slider plugin with more than 800,000 active installations across its free and Pro\u00a0editions.<\/p>\n<p>\u00abAn unauthorized party gained access to Nextend\u2019s update infrastructure and distributed a fully attacker-authored build through the official update channel,\u00bb the\u00a0company <a href=\"https:\/\/patchstack.com\/articles\/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis\/\">said<\/a>. \u00abAny site that updated to 3.5.1.35\u00a0between its release on April 7, 2026, and its detection approximately 6 hours later received a fully weaponized remote access\u00a0toolkit.\u00bb<\/p>\n<p>Nextend, which maintains the\u00a0plugin, <a href=\"https:\/\/wordpress.org\/support\/topic\/smart-slider-3-pro-update\/#post-18873519\">said<\/a> an unauthorized party gained unauthorized access to its update system and pushed a malicious version (3.5.1.35\u00a0Pro) that remained accessible for approximately\u00a0six hours, before it was detected and\u00a0pulled.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-risk-report-inside-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgWajeG0cdaapf1GKTZRUZUB7BzuYGegyw5k0eAorJXlmkFdYCCeLXXhXYJuXU9lWD33rV6rRnIyly3czoNfYifpxk1eGA5slItPmim3HkubXoQMgC4J7hdQPywxGbWq7Eqeff_o6s2Fq-WmSFd5guwdLn7IqpveMqULqtVnd-ndnljWYGj45EkMFB7m0qm\/s728-e100\/z-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The\u00a0trojanized update includes the ability to create rogue administrator accounts, as well as drop backdoors that execute system commands remotely via HTTP headers and run arbitrary PHP code via hidden request parameters. According to Patchstack, the malware comes with the following capabilities\u00a0&#8211;<\/p>\n<ul>\n<li>Achieve pre-authenticated remote code execution via custom HTTP headers like X-Cache-Status and X-Cache-Key, the latter of which contains the code that&#8217;s passed to \u00abshell_exec().\u00bb<\/li>\n<li>A backdoor that supports dual execution modes, enabling the attacker to execute arbitrary PHP code and operating system commands on the server.<\/li>\n<li>Create a hidden administrator account (e.g., \u00abwpsvc_a3f1\u00bb) for persistent access and make it invisible to legitimate administrators by tampering with the \u00abpre_user_query\u00bb and \u00abviews_users\u00bb filters.<\/li>\n<li>Use three custom WordPress options that are set with the \u00abautoload\u00bb setting disabled to reduce their visibility in option dumps: _wpc_ak (a secret authentication key), _wpc_uid (user ID of the hidden administrator account), and _wpc_uinfo (Base64-encoded JSON containing the plaintext username, password, and email of the rogue account).<\/li>\n<li>Install persistence in three locations for redundancy: create a must-use plugin with the filename \u00abobject-cache-helper.php\u00bb to make it look like a legitimate caching component, append the backdoor component to the active theme&#8217;s \u00abfunctions.php\u00bb file, and drop a file named \u00abclass-wp-locale-helper.php\u00bb in the WordPress \u00abwp-includes\u00bb directory.<\/li>\n<li>Exfiltrate data containing site URL, secret backdoor key, hostname, Smart Slider 3 version, WordPress version, and PHP version, WordPress admin email address, WordPress database name, plaintext username and password of the administrator account, and a list of all installed persistence methods to the command-and-control (C2) domain \u00abwpjs1[.]com.\u00bb<\/li>\n<\/ul>\n<p>\u00abThe malware operates in several stages, each designed to ensure deep, persistent, and redundant access to the compromised site,\u00bb Patchstack\u00a0said.<\/p>\n<p>\u00abThe sophistication of the payload is notable: rather than a simple webshell, the attacker deployed a multi-layered persistence toolkit with several independent, redundant re-entry points, user concealment, resilient command execution with fallback chains, and automatic C2 registration with full credential exfiltration.<\/p>\n<p>It&#8217;s worth noting that the free version of the WordPress plugin is not affected. To\u00a0contain the issue, Nextend shut down its update servers, removed the malicious version, and launched a full investigation into the\u00a0incident.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Users who have the trojanized version installed are advised to update to version 3.5.1.36. In\u00a0addition, users who have installed the rogue version are recommended to perform\u00a0the <a href=\"https:\/\/smartslider.helpscoutdocs.com\/article\/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35-compromise\">following cleanup\u00a0steps<\/a>\u00a0&#8211;<\/p>\n<ul>\n<li>Check for any suspicious or unknown admin accounts and remove them.<\/li>\n<li>Remove Smart Slider 3 Pro version 3.5.1.35\u00a0if installed.<\/li>\n<li>Reinstall a clean version of the plugin.<\/li>\n<li>Remove all persistence files that allow the backdoor to persist on the site.<\/li>\n<li>Delete malicious WordPress options from the \u00abwp_options\u00bb table: _wpc_ak, _wpc_uid, _wpc_uinfo, _perf_toolkit_source, and wp_page_for_privacy_policy_cache.<\/li>\n<li>Clean up the \u00abwp-config.php\u00bb file, including removing \u00abdefine(&#8216;WP_CACHE_SALT&#8217;, &#8216;<token>&#8216;);\u00bb if it exists.<\/token><\/li>\n<li>Remove the line \u00ab# WPCacheSalt <token>\u00bb from the \u00ab.htaccess\u00bb file located in the WordPress root folder.<\/token><\/li>\n<li>Reset the administrator and WordPress database user passwords.<\/li>\n<li>Change FTP\/SSH and hosting account credentials.<\/li>\n<li>Review the website and logs for any unauthorized changes and unusual POST requests.<\/li>\n<li>Enable two-factor authentication (2FA) for admins and disable PHP execution in the uploads folder.<\/li>\n<\/ul>\n<p>\u00abThis incident is a textbook supply chain compromise, the kind that renders traditional perimeter defenses irrelevant,\u00bb Patchstack said. \u00abGeneric firewall rules, nonce verification,role-based\u00a0access controls,none of\u00a0them apply when the malicious code is delivered through the trusted update channel. The\u00a0plugin is the\u00a0malware.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 10, 2026Malware \/ Website Security Unknown threat actors have hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla to push a poisoned&hellip;<\/p>\n","protected":false},"author":1,"featured_media":558,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1154,227,1157,1158,1156,777,1155,353,1029],"class_list":["post-557","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-backdoored","tag-compromised","tag-distributed","tag-nextend","tag-pro","tag-servers","tag-slider","tag-smart","tag-update"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/557","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=557"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/557\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/558"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=557"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=557"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=557"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}