A sophisticated supply chain attack has compromised the official update infrastructure of Smart Slider 3 Pro, one of the most widely used premium slider plugins for WordPress and Joomla. Between April 7 and April 7, 2026 — a window of approximately six hours — any site that ran an automatic update received a fully weaponized backdoor disguised as version 3.5.1.35. With over 800,000 active installations across its free and Pro editions, the blast radius of this attack is potentially enormous.
What Happened: The Nextend Server Compromise
Smart Slider 3 Pro is developed by Nextend, a software company that distributes plugin updates through its own servers. Attackers gained unauthorized access to Nextend’s update distribution infrastructure and replaced the legitimate version 3.5.1.35 release package with a trojanized build containing a full remote access toolkit.
Sites using automatic updates — the default configuration for most managed WordPress environments — silently received and installed the malicious package. Nextend detected the compromise approximately six hours after the poisoned update was first distributed and pulled the malicious package, releasing the clean 3.5.1.36 immediately. However, every site that updated during that six-hour window is considered compromised.
Malware Capabilities: A Full Remote Access Toolkit
The trojanized version 3.5.1.35 is not a simple web shell. Security researchers at Patchstack conducted a full malware analysis and found a sophisticated, multi-layered remote access toolkit with the following capabilities:
- Unauthenticated remote code execution: The malware listens for specially crafted HTTP headers and executes arbitrary PHP code or OS commands without requiring any credentials from the attacker.
- Rogue administrator account creation: A hidden WordPress admin account is automatically created during installation, providing persistent authenticated access.
- Must-use plugin persistence: The malware installs a file in the WordPress
mu-plugins(must-use plugins) directory, disguised as a legitimate caching component. Must-use plugins cannot be disabled through the standard WordPress admin interface, making this persistence mechanism particularly resilient. - Data exfiltration on install: Upon installation, the malware immediately beacons out to the command-and-control domain
wpjs1[.]com, transmitting the site’s URL, a secret backdoor key, hostname, plugin and WordPress version numbers, WordPress admin email address, WordPress database name, plaintext administrator username and password, and a list of all installed persistence mechanisms. - Dual authenticated backdoor: Beyond the unauthenticated access mechanism, the malware also installs an authenticated backdoor supporting both PHP
eval()and direct OS command execution for more capable post-exploitation operations.
Scope: Who Is Affected?
The attack specifically targets the Pro (paid) version of Smart Slider 3. The free version distributed through the WordPress.org plugin repository is not affected, as it uses WordPress’s own update infrastructure rather than Nextend’s servers.
Organizations affected are those that:
- Run Smart Slider 3 Pro on WordPress or Joomla.
- Had automatic updates enabled (default configuration).
- Updated between the release of 3.5.1.35 and approximately six hours later on April 7, 2026.
Immediate Actions Required
If your organization runs Smart Slider 3 Pro, treat this as an active incident and take the following steps immediately:
- Update immediately to Smart Slider 3 Pro version 3.5.1.36 or later (or downgrade to 3.5.1.34 or earlier if update is not possible).
- Audit WordPress administrator accounts for any unfamiliar users — the malware creates hidden admin accounts during installation.
- Check the
mu-pluginsdirectory for any unexpected files, particularly anything resembling a caching plugin that you did not install manually. - Rotate all credentials — WordPress admin passwords, database passwords, and any credentials that may have been present on the server, as these were exfiltrated to the attacker’s C2 infrastructure.
- Block traffic to
wpjs1[.]comat the firewall or DNS level and review web server access logs for HTTP requests containing unusual headers. - Treat any affected site as fully compromised — assume the attacker has persistent access and full knowledge of your WordPress credentials.
The Broader Supply Chain Threat to WordPress
This incident illustrates a fundamental vulnerability in the WordPress plugin ecosystem: premium plugins distributed outside the official WordPress.org repository rely entirely on the security of the plugin developer’s own infrastructure. When that infrastructure is compromised, every site running the plugin becomes a potential victim — silently, through the trusted automatic update mechanism.
Security teams responsible for WordPress environments should evaluate their exposure to this class of risk and consider implementing update review processes, especially for premium plugins that self-host their update servers.
Conclusion
The Smart Slider 3 Pro supply chain compromise is a serious incident affecting potentially hundreds of thousands of WordPress and Joomla sites worldwide. The sophistication of the malware — combining unauthenticated RCE, credential theft, and resilient mu-plugins persistence — suggests a well-resourced threat actor with specific goals. Any site that ran a Smart Slider 3 Pro update on April 7, 2026 should be treated as compromised and fully remediated immediately.