Smart Slider Updates Hijacked, Pushing Backdoored WordPress/Joomla Plugins

Cyber Threat Intelligence is flagging a serious supply chain attack targeting users of the popular Smart Slider 3 Pro plugin for both WordPress and Joomla. Attackers managed to hijack the plugin’s update mechanism, pushing out a malicious version (3.5.1.35) that injected multiple backdoors. This compromised version, reportedly distributed on April 7th, also created a hidden administrator account and exfiltrated sensitive data.

According to analysis by PatchStack, the malware embedded within the plugin is sophisticated. It acts as a multi-layered toolkit, maintaining the plugin’s legitimate functionality while allowing remote attackers to execute commands without authentication via crafted HTTP headers. A secondary, authenticated backdoor offers further PHP eval and OS command execution capabilities, alongside automated credential theft. Persistence is achieved through several means, including the hidden admin account and the creation of a disguised must-use plugin within the ‘mu-plugins’ directory, which automatically loads and can bypass standard security checks.

Smart Slider 3 is widely used, with its WordPress version active on over 900,000 websites. The vendor has identified the affected version as Pro 3.5.1.35 and strongly advises immediate updates to version 3.5.1.36 or downgrading to 3.5.1.34 and earlier. This incident underscores the critical importance of verifying plugin integrity, even when updates come through official channels, especially for widely adopted software.