Backdoored Smart Slider 3 Pro Update Delivered RCE and Persistent Site Compromise
Attackers compromised Nextend’s update infrastructure and used the official Smart Slider 3 Pro update channel to distribute a trojanized 3.5.1.35 release for WordPress and Joomla. The malicious package, available for roughly six hours, preserved normal plugin functionality while embedding a multi-layered malware toolkit that enabled unauthenticated remote command execution, authenticated backdoor access, credential theft, and long-term persistence. Researchers said the incident amounted to a software supply-chain compromise because the malware was pushed through a trusted vendor update mechanism rather than a direct intrusion path.
The backdoored update created hidden administrator accounts, planted must-use plugins and theme backdoors, and dropped files designed to resemble legitimate WordPress core components; the Joomla variant similarly installed hidden admin access and backdoors in cache and media directories while stealing site information and credentials. Nextend said only the Pro edition’s 3.5.1.35 version was affected, not the free plugin, and urged administrators to assume full site compromise, upgrade immediately to 3.5.1.36 or revert to 3.5.1.34 or earlier, restore from backups created before the intrusion if possible, reinstall trusted components, rotate credentials, regenerate WordPress salts, scan for malware, and harden administrative access with measures such as MFA and restricted admin exposure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Patchstack publishes technical analysis of Smart Slider compromise
Patchstack disclosed that the malicious update preserved normal plugin functionality while embedding a multi-layered malware toolkit enabling unauthenticated remote command execution, hidden administrator creation, credential theft, and persistence on WordPress and Joomla sites. It characterized the incident as a supply-chain compromise delivered through a trusted software update channel.
Vendor issues remediation guidance and safe upgrade path
Nextend advised administrators to immediately upgrade to version 3.5.1.36 or revert to 3.5.1.34 and earlier, and to assume full site compromise if they installed the malicious update. The guidance included restoring from backups dated before 2026-04-05 if possible, rotating credentials, regenerating WordPress salts, reinstalling trusted components, and scanning for malware.
Nextend removes malicious update and shuts down update servers
After discovering the supply-chain compromise, Nextend shut down its update servers and removed the malicious 3.5.1.35 release. The vendor stated that only Smart Slider 3 Pro version 3.5.1.35 was affected.
Trojanized Smart Slider 3 Pro update released via official channel
Unknown attackers compromised Nextend's update infrastructure and distributed a malicious Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla through the official update mechanism. The backdoored release was made available on 2026-04-07 and remained accessible for about six hours.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers
thehackernews.com
Open sourceSmart Slider updates hijacked to push malicious WordPress, Joomla versions
bleepingcomputer.com
Open sourceWordPress security advisory: Smart Slider 3 Pro 3.5.1.35 compromise - Smart Slider Documentation
smartslider.helpscoutdocs.com
Open sourceCritical Supply Chain Compromise in Smart Slider 3 Pro: Full Malware Analysis - Patchstack
patchstack.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Backdoored ShapedPlugin Pro Updates Exposed WordPress Sites to Full Takeover
A supply-chain compromise of ShapedPlugin’s premium WordPress plugin distribution inserted backdoor code into official paid releases, allowing unauthenticated attackers to fully compromise affected websites. Wordfence said the attackers tampered with the vendor’s update pipeline used for Pro builds distributed via Easy Digital Downloads, while free versions in the WordPress repository were not affected. Confirmed malicious releases included **Smart Post Show Pro** `4.0.1`, **Product Slider for WooCommerce Pro** `3.5.2`, and **Real Testimonials Pro** `3.2.4`, which were later replaced by clean versions `4.0.2`, `3.5.3`, and `3.2.5`; the incident is tracked as **`CVE-2026-10735`** with a reported **CVSS 9.8**.
Jun 23, 2026
Backdoored Essential Plugin WordPress Add-ons Compromised Thousands of Sites
A supply-chain attack hit the **Essential Plugin** WordPress portfolio after the plugin business was reportedly acquired by a new owner who inserted a hidden backdoor into trusted add-ons used by thousands of websites. Researchers said the malicious code was added to `Countdown Timer Ultimate` version `2.6.7` in August 2025 as a PHP deserialization backdoor, then left dormant for about eight months before activating in early April 2026. Once triggered, affected sites contacted `analytics.essentialplugin.com`, received additional payloads, and had malicious code written into `wp-config.php`. The compromise allowed attackers to serve hidden spam links, fake pages, and redirects to Googlebot while remaining largely invisible to site owners. WordPress.org subsequently closed all **31** Essential Plugin entries in the plugin directory and pushed version `2.6.9.1` to remove the phone-home behavior, but reports warned that the update did **not** clean already-compromised `wp-config.php` files. Hosting providers and researchers urged administrators to manually inspect and remove any still-installed malicious plugins and persistence left on their servers, underscoring the risk that plugin ownership changes can turn established WordPress software into a malware distribution channel.
Apr 16, 2026
Smart Slider 3 File-Read Flaw Exposes WordPress Secrets on 500,000 Sites
A file-read vulnerability in the **Smart Slider 3** WordPress plugin could let authenticated users with only subscriber-level access read arbitrary files from the server, including `wp-config.php`, on more than 500,000 likely unpatched sites. The flaw, tracked as **`CVE-2026-3098`**, affects all versions through **`3.5.1.33`** and stems from missing capability checks and insufficient file validation in the plugin’s AJAX export functionality. Researcher Dmitrii Ignatyev reported the issue, which was validated by Wordfence before developer Nextendweb released a fix in **Smart Slider 3 `3.5.1.34`**. Security reporting said there was no evidence of active exploitation at publication time, but successful attacks could expose database credentials, cryptographic keys, and WordPress salt values, creating a path to broader site compromise.
Mar 31, 2026