Find notable cyber news and cases, enriched with sources, timelines, and signals.

Smart Slider 3 Pro update system for WordPress hit by network compromise

Incident
First reported
Last updated
Happening score
H score 76
1 unique sources, 1 articles

Summary

Hide ▲

The Smart Slider 3 Pro update system was compromised, and a malicious 3.5.1.35 release was pushed to WordPress and Joomla sites. The bad update could create hidden administrator accounts, install multiple backdoors, and steal sensitive data, putting affected sites at risk of full compromise. The malicious package was distributed on April 7, and administrators are being told to replace it with 3.5.1.36 and treat exposed systems as potentially compromised.

Related Happenings

ShapedPlugin hit by network compromise

Incident
H score19 First: 18.06.2026 15:55 Last: 18.06.2026 15:55 Sources 1

About this happening: **ShapedPlugin** suffered a **supply-chain compromise** that pushed infected **WordPress plugin** releases to paying customers through the vendor's **official update system**, put...

WordPress.org closes compromised EssentialPlugin plugins with forced update

Security Tool/Service
H score16 First: 15.04.2026 23:33 Last: 15.04.2026 23:33 Sources 1

About this happening: **WordPress.org** closed the compromised **EssentialPlugin** plugins and forced an update, changing how affected sites received and ran the package. The move mattered because the...

EssentialPlugin package hit by network compromise

Incident
H score25 First: 15.04.2026 23:33 Last: 15.04.2026 23:33 Sources 1

About this happening: The **EssentialPlugin** WordPress package was **compromised with a backdoor**, enabling **unauthorized access** to websites running its plugins and putting **hundreds of thousands...

Smart Slider 3 arbitrary file read security flaw (CVE-2026-3098)

Vulnerability
H score83 First: 29.03.2026 17:38 Last: 29.03.2026 17:38 Sources 1

About this happening: **CVE-2026-3098** exposes **Smart Slider 3** sites to **arbitrary file read** when authenticated users abuse **AJAX export actions**, putting **wp-config.php** and database secret...

Smart Slider 3 security patch (CVE-2026-3098)

Security Patch Release
H score80 First: 29.03.2026 17:38 Last: 29.03.2026 17:38 Sources 1

About this happening: Nextendweb released **Smart Slider version 3.5.1.34** on **March 24, 2026**, closing **CVE-2026-3098** in the **Smart Slider 3 WordPress plugin**. The patch fixes an **arbitrary f...

Timeline

  1. 09.04.2026 19:15 1 articles · 3mo ago

    Malicious Smart Slider 3 Pro update reaches WordPress and Joomla sites

    Exploitation Observed

    Threat actors distributed a malicious Smart Slider 3 Pro 3.5.1.35 update to WordPress and Joomla sites on April 7, and some websites may have installed it. The compromised release introduced multiple backdoors and a hidden administrator account, exposing affected sites to credential theft and broader compromise.

    Show sources
  2. 09.04.2026 19:15 2 articles · 3mo ago

    Smart Slider team and PatchStack warn about compromised Smart Slider 3 Pro releases

    Technical Analysis Update

    The Smart Slider team disclosed that the update system for Smart Slider 3 Pro for WordPress was breached and warned that version 3.5.1.35 is compromised, advising a move to 3.5.1.36 or 3.5.1.34 and earlier. PatchStack identified a multi-layer toolkit embedded in the plugin's main file that can execute commands without authentication via crafted HTTP headers, includes a second authenticated backdoor with PHP eval and OS command execution, and persists through `mu-plugins`, `functions.php`, and `wp-includes`; the vendor also warned Joomla installs about hidden admin accounts, `/cache` and `/media` backdoors, and stolen site information and credentials.

    Show sources