Smart Slider 3 Pro update system for WordPress hit by network compromise
Incident
Summary
Hide ▲
Show ▼
The Smart Slider 3 Pro update system was compromised, and a malicious 3.5.1.35 release was pushed to WordPress and Joomla sites. The bad update could create hidden administrator accounts, install multiple backdoors, and steal sensitive data, putting affected sites at risk of full compromise. The malicious package was distributed on April 7, and administrators are being told to replace it with 3.5.1.36 and treat exposed systems as potentially compromised.
Related Happenings
WordPress.org closes compromised EssentialPlugin plugins with forced update
Security Tool/Service
First: 15.04.2026 23:33
Last: 15.04.2026 23:33
Sources 1
About this happening:
**WordPress.org** closed the compromised **EssentialPlugin** plugins and forced an update, changing how affected sites received and ran the package. The move mattered because the...
WordPress.org closes compromised EssentialPlugin plugins with forced update
Security Tool/ServiceAbout this happening: **WordPress.org** closed the compromised **EssentialPlugin** plugins and forced an update, changing how affected sites received and ran the package. The move mattered because the...
EssentialPlugin package hit by network compromise
Incident
First: 15.04.2026 23:33
Last: 15.04.2026 23:33
Sources 1
About this happening:
The **EssentialPlugin** WordPress package was **compromised with a backdoor**, enabling **unauthorized access** to websites running its plugins and putting **hundreds of thousands...
EssentialPlugin package hit by network compromise
IncidentAbout this happening: The **EssentialPlugin** WordPress package was **compromised with a backdoor**, enabling **unauthorized access** to websites running its plugins and putting **hundreds of thousands...
Smart Slider 3 arbitrary file read security flaw (CVE-2026-3098)
Vulnerability
First: 29.03.2026 17:38
Last: 29.03.2026 17:38
Sources 1
About this happening:
**CVE-2026-3098** exposes **Smart Slider 3** sites to **arbitrary file read** when authenticated users abuse **AJAX export actions**, putting **wp-config.php** and database secret...
Smart Slider 3 arbitrary file read security flaw (CVE-2026-3098)
VulnerabilityAbout this happening: **CVE-2026-3098** exposes **Smart Slider 3** sites to **arbitrary file read** when authenticated users abuse **AJAX export actions**, putting **wp-config.php** and database secret...
Smart Slider 3 security patch (CVE-2026-3098)
Security Patch Release
First: 29.03.2026 17:38
Last: 29.03.2026 17:38
Sources 1
About this happening:
Nextendweb released **Smart Slider version 3.5.1.34** on **March 24, 2026**, closing **CVE-2026-3098** in the **Smart Slider 3 WordPress plugin**. The patch fixes an **arbitrary f...
Smart Slider 3 security patch (CVE-2026-3098)
Security Patch ReleaseAbout this happening: Nextendweb released **Smart Slider version 3.5.1.34** on **March 24, 2026**, closing **CVE-2026-3098** in the **Smart Slider 3 WordPress plugin**. The patch fixes an **arbitrary f...
Josh Junon (qix) hit by network compromise
Incident
First: 08.09.2025 19:47
Last: 08.09.2025 19:47
Sources 1
About this happening:
**Josh Junon (qix)** confirmed a **phishing-driven account compromise** that let attackers inject malware into **NPM packages**, putting a supply chain with **over 2.6 billion wee...
Josh Junon (qix) hit by network compromise
IncidentAbout this happening: **Josh Junon (qix)** confirmed a **phishing-driven account compromise** that let attackers inject malware into **NPM packages**, putting a supply chain with **over 2.6 billion wee...
Latest development: 10.09.2025 20:56
A password-reset phishing campaign against npm maintainer Josh Junon spread malicious package updates through the NPM ecosystem, reaching roughly 10% of cloud environments during a two-hour download window and forcing cleanup, rebuilding, and auditing work. The same campaign also compromised DuckDB's maintainer account and pushed packages with the same crypto-stealing code.
Timeline
-
09.04.2026 19:15 1 articles · 1mo ago
Malicious Smart Slider 3 Pro update reaches WordPress and Joomla sites
Exploitation ObservedThreat actors distributed a malicious Smart Slider 3 Pro 3.5.1.35 update to WordPress and Joomla sites on April 7, and some websites may have installed it. The compromised release introduced multiple backdoors and a hidden administrator account, exposing affected sites to credential theft and broader compromise.
Show sources
- Smart Slider updates hijacked to push malicious WordPress, Joomla versions — www.bleepingcomputer.com — 09.04.2026 19:15
-
09.04.2026 19:15 2 articles · 1mo ago
Smart Slider team and PatchStack warn about compromised Smart Slider 3 Pro releases
Technical Analysis UpdateThe Smart Slider team disclosed that the update system for Smart Slider 3 Pro for WordPress was breached and warned that version 3.5.1.35 is compromised, advising a move to 3.5.1.36 or 3.5.1.34 and earlier. PatchStack identified a multi-layer toolkit embedded in the plugin's main file that can execute commands without authentication via crafted HTTP headers, includes a second authenticated backdoor with PHP eval and OS command execution, and persists through `mu-plugins`, `functions.php`, and `wp-includes`; the vendor also warned Joomla installs about hidden admin accounts, `/cache` and `/media` backdoors, and stolen site information and credentials.
Show sources
- Smart Slider updates hijacked to push malicious WordPress, Joomla versions — www.bleepingcomputer.com — 09.04.2026 19:15
- Smart Slider updates hijacked to push malicious WordPress, Joomla versions — www.bleepingcomputer.com — 09.04.2026 19:15