CRITICAL: Smart Slider 3 Pro Users Hit With Supply Chain Backdoor Through Hijacked Update System

If you run WordPress sites for clients, this one should make you uncomfortable. Unknown attackers managed to hijack the official update infrastructure for Smart Slider 3 Pro, a popular WordPress slider plugin, and pushed a fully weaponized backdoor to anyone who hit the update button during a six-hour window last week.

Smart Slider 3 has more than 800,000 active installations across its free and Pro editions, making it one of those plugins you have probably seen on dozens of client sites without giving it much thought. That is exactly the kind of tool attackers love to target. The compromise affected version 3.5.1.35 of the Pro edition, which was distributed through Nextend's official update channel between April 7 and its detection roughly six hours later.

This was not some amateur hour webshell drop. According to Patchstack's analysis, the attackers deployed a multi-layered persistence toolkit with redundant re-entry points, hidden administrator accounts, and automatic command-and-control registration complete with credential exfiltration. The sophistication here is notable because they clearly intended to maintain access even if site owners discovered and removed part of the infection.

The malware's capabilities read like a nightmare checklist for anyone responsible for client WordPress sites. It achieves pre-authenticated remote code execution through custom HTTP headers, specifically using headers named X-Cache-Status and X-Cache-Key to pass commands directly to shell_exec on the server. It creates hidden administrator accounts with names like "wpsvc_a3f1" that are invisible to legitimate admins because the malware tampers with WordPress user query filters. It also installs persistence across three separate locations for redundancy, including a must-use plugin disguised as a caching component, injected code in the active theme's functions.php file, and a dropped file in the WordPress core wp-includes directory.

The exfiltration side is just as thorough. Everything gets shipped off to a command-and-control domain: the site URL, backdoor authentication keys, WordPress and PHP versions, admin email addresses, the database name, and most critically, the plaintext username and password of the administrator account along with a full list of all installed persistence methods. If your client updated during that six-hour window, assume the attackers have everything.

Nextend has since pulled the malicious version and released a clean version 3.5.1.36, but the damage may already be done for sites that received the poisoned update. The cleanup process is not trivial either. Affected sites need to hunt down and remove suspicious admin accounts, delete the persistence files across all three locations, purge malicious entries from the wp_options table, clean up modifications to wp-config.php and .htaccess, and reset credentials for administrator accounts, database users, FTP, SSH, and hosting panels. Missing any of these steps means the attackers can walk right back in.

The free version of Smart Slider 3 is not affected, which provides small comfort given how common the Pro version is among agencies and MSPs who need the advanced features for client work.

This incident is a textbook example of why supply chain security is so difficult. Traditional perimeter defenses do not help when the malicious code arrives through a trusted update channel. Firewall rules, role-based access controls, nonce verification, and all the other security measures WordPress admins rely on are completely irrelevant when the plugin itself is the malware. The legitimate update mechanism that is supposed to keep software secure became the attack vector.

For managed service providers, this should reinforce the need for layered monitoring that does not assume updates are automatically safe. File integrity monitoring, anomaly detection on outbound connections, and regular audits of administrator accounts would all help catch this kind of compromise faster. The six-hour exposure window is small, but attackers moved fast enough to weaponize it completely.

If you are responsible for WordPress sites, start by checking whether any of them have Smart Slider 3 Pro installed and what version they are running. Version 3.5.1.35 is the bad one. Anything earlier should be safe but needs updating, and 3.5.1.36 is the fixed release. For sites that received the compromised version, Nextend has published detailed cleanup instructions, but realistically, a full site audit and credential rotation is the safest path forward. Trust nothing on a site that received attacker-controlled code.