CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Compromise of Smart Slider 3 Pro update system leads to multi-layered WordPress and Joomla backdoors

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A threat actor compromised the update mechanism for the Smart Slider 3 Pro plugin (versions for WordPress and Joomla) and distributed a malicious update (3.5.1.35) on April 7, 2026. The malicious version installed multiple backdoors, created a hidden administrator account with stolen credentials, and exfiltrated sensitive data. The malware includes unauthenticated remote command execution via crafted HTTP headers and authenticated PHP eval/OS command backdoors. Persistence is achieved through hidden admin accounts, must-use plugins, theme injections, and core file tampering. The vendor recommends immediate upgrade to version 3.5.1.36 (or rollback to 3.5.1.34 or earlier) and comprehensive site remediation.

Timeline

  1. 09.04.2026 19:15 1 articles · 2h ago

    Malicious Smart Slider 3 Pro update 3.5.1.35 distributed via compromised update system

    A threat actor compromised the Smart Slider 3 Pro plugin update system and pushed a malicious version (3.5.1.35) on April 7, 2026. The update introduced multiple backdoors and persistence mechanisms across WordPress and Joomla installations. Affected users are advised to upgrade to version 3.5.1.36 immediately or roll back to 3.5.1.34, then perform a full site remediation including credential rotation and malware scanning.

    Show sources
    Open in new tab

Information Snippets

  • The Smart Slider 3 Pro plugin update system was compromised, leading to the distribution of a malicious version (3.5.1.35) on April 7, 2026.

    First reported: 09.04.2026 19:15
    1 source, 1 article
    Show sources

  • The malicious update affects only the Pro version 3.5.1.35 of Smart Slider 3 for WordPress and Joomla; versions 3.5.1.36 and earlier unaffected versions (3.5.1.34) are considered safe.

    First reported: 09.04.2026 19:15
    1 source, 1 article
    Show sources

  • The malware installs multiple backdoors, including an unauthenticated remote command execution vector via crafted HTTP headers and an authenticated PHP eval/OS command backdoor.

    First reported: 09.04.2026 19:15
    1 source, 1 article
    Show sources

  • Persistence mechanisms include creation of a hidden administrator account (often with the prefix wpsvc_), must-use plugins, injections into the active theme’s functions.php, and tampering with core files in wp-includes with a fake cache file storing authentication keys.

    First reported: 09.04.2026 19:15
    1 source, 1 article
    Show sources

  • The malware exfiltrates sensitive data and steals credentials stored in the database; changing database credentials does not neutralize all backdoors due to persistence in core files.

    First reported: 09.04.2026 19:15
    1 source, 1 article
    Show sources

  • The vendor recommends immediate upgrade to version 3.5.1.36 (or rollback to 3.5.1.34) and a comprehensive remediation process including reinstallation of WordPress core, rotation of all credentials, regeneration of WordPress security keys, and malware scanning.

    First reported: 09.04.2026 19:15
    1 source, 1 article
    Show sources

  • Smart Slider 3 is used on over 900,000 websites for responsive slider creation via a live editor with multiple layouts and designs.

    First reported: 09.04.2026 19:15
    1 source, 1 article
    Show sources