Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers

Summary

Threat actors compromised Nextend's update infrastructure and distributed a malicious version (3.5.1.35) of the Smart Slider 3 Pro WordPress plugin, which was live for approximately 6 hours. The backdoor enables pre-authenticated remote code execution, rogue admin account creation, persistent access via multiple methods, and data exfiltration to the C2 domain wpjs1[.]com. Over 800,000 active installations were potentially impacted before the malicious version was detected and pulled.

Full text

Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers Ravie LakshmananApr 10, 2026Malware / Website Security Unknown threat actors have hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla to push a poisoned version containing a backdoor. The incident impacts Smart Slider 3 Pro version 3.5.1.35 for WordPress, per WordPress security company Patchstack. Smart Slider 3 is a popular WordPress slider plugin with more than 800,000 active installations across its free and Pro editions. "An unauthorized party gained access to Nextend’s update infrastructure and distributed a fully attacker-authored build through the official update channel," the company said. "Any site that updated to 3.5.1.35 between its release on April 7, 2026, and its detection approximately 6 hours later received a fully weaponized remote access toolkit." Nextend, which maintains the plugin, said an unauthorized party gained unauthorized access to its update system and pushed a malicious version (3.5.1.35 Pro) that remained accessible for approximately six hours, before it was detected and pulled. The trojanized update includes the ability to create rogue administrator accounts, as well as drop backdoors that execute system commands remotely via HTTP headers and run arbitrary PHP code via hidden request parameters. According to Patchstack, the malware comes with the following capabilities - Achieve pre-authenticated remote code execution via custom HTTP headers like X-Cache-Status and X-Cache-Key, the latter of which contains the code that's passed to "shell_exec()." A backdoor that supports dual execution modes, enabling the attacker to execute arbitrary PHP code and operating system commands on the server. Create a hidden administrator account (e.g., "wpsvc_a3f1") for persistent access and make it invisible to legitimate administrators by tampering with the "pre_user_query" and "views_users" filters. Use three custom WordPress options that are set with the "autoload" setting disabled to reduce their visibility in option dumps: _wpc_ak (a secret authentication key), _wpc_uid (user ID of the hidden administrator account), and _wpc_uinfo (Base64-encoded JSON containing the plaintext username, password, and email of the rogue account). Install persistence in three locations for redundancy: create a must-use plugin with the filename "object-cache-helper.php" to make it look like a legitimate caching component, append the backdoor component to the active theme's "functions.php" file, and drop a file named "class-wp-locale-helper.php" in the WordPress "wp-includes" directory. Exfiltrate data containing site URL, secret backdoor key, hostname, Smart Slider 3 version, WordPress version, and PHP version, WordPress admin email address, WordPress database name, plaintext username and password of the administrator account, and a list of all installed persistence methods to the command-and-control (C2) domain "wpjs1[.]com." "The malware operates in several stages, each designed to ensure deep, persistent, and redundant access to the compromised site," Patchstack said. "The sophistication of the payload is notable: rather than a simple webshell, the attacker deployed a multi-layered persistence toolkit with several independent, redundant re-entry points, user concealment, resilient command execution with fallback chains, and automatic C2 registration with full credential exfiltration. It's worth noting that the free version of the WordPress plugin is not affected. To contain the issue, Nextend shut down its update servers, removed the malicious version, and launched a full investigation into the incident. Users who have the trojanized version installed are advised to update to version 3.5.1.36. In addition, users who have installed the rogue version are recommended to perform the following cleanup steps - Check for any suspicious or unknown admin accounts and remove them. Remove Smart Slider 3 Pro version 3.5.1.35 if installed. Reinstall a clean version of the plugin. Remove all persistence files that allow the backdoor to persist on the site. Delete malicious WordPress options from the "wp_options" table: _wpc_ak, _wpc_uid, _wpc_uinfo, _perf_toolkit_source, and wp_page_for_privacy_policy_cache. Clean up the "wp-config.php" file, including removing "define('WP_CACHE_SALT', '<token>');" if it exists. Remove the line "# WPCacheSalt <token>" from the ".htaccess" file located in the WordPress root folder. Reset the administrator and WordPress database user passwords. Change FTP/SSH and hosting account credentials. Review the website and logs for any unauthorized changes and unusual POST requests. Enable two-factor authentication (2FA) for admins and disable PHP execution in the uploads folder. "This incident is a textbook supply chain compromise, the kind that renders traditional perimeter defenses irrelevant," Patchstack said. "Generic firewall rules, nonce verification,role-based access controls,none of them apply when the malicious code is delivered through the trusted update channel. The plugin is the malware." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, Malware, Patchstack, remote code execution, supply chain attack, WordPress Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Learn How to Block Breached Passwords in Active Directory Before Attacks Get Full Visibility into Vendor and Internal Risk in One Platform [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls Secure Your AI Systems Across the Full Lifecycle of Risks

Indicators of Compromise

• domain — wpjs1.com
• malware — Smart Slider 3 Pro v3.5.1.35 (backdoored)

Entities