Smart Slider 3 Pro Hijacked to Push Backdoored Updates

Smart Slider 3 Pro Update System Compromised in Supply Chain Attack

Attackers hijacked the update distribution system for Smart Slider 3 Pro and pushed a backdoored plugin version to WordPress and Joomla sites. The malicious update, version 3.5.1.35, was distributed on April 7, 2026. Any site that auto-updated on that date should be treated as fully compromised. The vendor has since released 3.5.1.36 as a clean replacement and recommends rolling back to 3.5.1.34 or earlier if needed.

Smart Slider 3 for WordPress is active on over 900,000 sites. That reach makes this supply chain attack serious. The malicious code was not a simple webshell drop. PatchStack's analysis describes it as a fully featured, multi-layered toolkit embedded directly in the plugin's main file while leaving normal slider functionality intact so nothing looked obviously broken.

How the Backdoored Plugin Works

The malicious update packed several distinct attack mechanisms into one package.

The first backdoor allows unauthenticated remote command execution via crafted HTTP headers. No login required. A second backdoor, requiring authentication, adds PHP eval execution and OS-level command running. Both operate independently, meaning disabling one does not stop the other.

Persistence is where this kit gets sophisticated. It creates a hidden administrator account with a username prefixed by wpsvc_ and stores credentials directly in the database. It also creates a mu-plugins directory and drops a must-use plugin disguised as a caching component. Must-use plugins load automatically, cannot be disabled from the WordPress dashboard, and are invisible in the standard plugins list.

The malware also injects a backdoor into the active theme's functions.php file and drops a PHP file inside wp-includes with a name mimicking a legitimate WordPress core class. That last backdoor reads its authentication key from a .cache_key file on disk rather than the database. Resetting your database credentials does nothing to neutralize it. It continues functioning even if WordPress fails to bootstrap fully.

For Joomla, the malicious code installs additional backdoors in the /cache and /media directories and steals site credentials and configuration data.

What's at Risk for Developers and Site Owners

If your site ran Smart Slider 3 Pro and pulled the 3.5.1.35 update, assume every credential stored on that server is compromised. That includes WordPress admin passwords, database credentials, FTP and SSH keys, hosting panel access, and any email accounts tied to the site.

The multi-layer persistence design means a simple plugin reinstall is not sufficient cleanup. Attackers retain access through the mu-plugin, the theme injection, and the filesystem-based backdoor even if you delete the original plugin and reset your database.

How to Clean Up and Harden Affected Sites

If you have a clean backup from before April 5, 2026, restore from that. The vendor recommends April 5 as the cutoff to account for time zone differences in update delivery.

If no backup exists, follow this sequence:

• Remove version 3.5.1.35 and install 3.5.1.36 from a trusted source
• Delete any admin accounts with the wpsvc_ prefix or other unrecognized users
• Audit and remove files in mu-plugins, wp-includes, and active theme directories
• Reinstall WordPress core, all plugins, and themes from scratch
• Rotate every credential (WordPress, database, FTP, SSH, hosting, email)
• Regenerate WordPress security keys and salts
• Scan for remaining malware and review access logs for suspicious requests

After cleanup, enable two-factor authentication on all admin accounts, restrict wp-admin access by IP where possible, and keep all components updated. Running a dynamic scan against your site can help surface any backdoors or injected endpoints that manual review might miss. Check your exposure at /scan.

For more on plugin supply chain risks, see our coverage in the VibeWShield blog.

FAQ

How do I know if my site installed the malicious update? Check your plugin version. If Smart Slider 3 Pro shows version 3.5.1.35, your site was exposed. Also check for admin users with the wpsvc_ prefix and unexpected files in mu-plugins or wp-includes.

Does removing the plugin fully remove the backdoor? No. The malware installs persistence layers outside the plugin directory, including in mu-plugins, the active theme, and wp-includes. A full site audit and credential rotation are required.

Does this affect Smart Slider 3 Free (the non-Pro version)? According to the vendor, only the Pro version 3.5.1.35 was affected. Free version users were not targeted through this update channel.

Scan your WordPress or Joomla site now for active backdoors and injected endpoints at VibeWShield /scan.