Attackers who gained unauthorised access to Nextend’s plugin distribution infrastructure pushed a backdoored version of Smart Slider 3 Pro to WordPress and Joomla sites between approximately 07 April 2026 14:00 UTC and 20:00 UTC — a six-hour window during which any site with automatic plugin updates enabled silently received malware through an officially signed update. Nextend confirmed the compromise on 8 April, pulled the malicious version, and shipped a clean replacement (3.5.1.36). Sites that updated during the exposure window are compromised.
Attack Mechanism
Smart Slider 3 is one of the most widely used slider and content presentation plugins for WordPress, with over 800,000 active installations across its free and Pro editions. The attack did not exploit a vulnerability in the plugin itself — it exploited the update distribution infrastructure. An unauthorised party gained access to Nextend’s update servers and replaced the legitimate 3.5.1.35 build with a trojanised version before it could be distributed at scale.
The malicious build contained a full remote access toolkit that executes on plugin activation. Its capabilities include:
- Creation of rogue WordPress administrator accounts with attacker-controlled credentials
- Deployment of persistent webshell backdoors that execute system commands via crafted HTTP headers
- Exfiltration of site metadata to attacker C2 infrastructure: site URL, hostname, WordPress and PHP versions, database name, admin email address, and the plaintext username and password of at least one administrator account
- Enumeration of all installed persistence methods, reported back to C2
The approach mirrors previous supply chain attacks against plugin ecosystems: because the malware arrived through the legitimate update channel with a valid signature, standard integrity and permission checks did not trigger. The plugin was the malware.
Why This Is Harder to Detect Than a Vulnerability Exploit
Traditional web application security controls — firewalls, nonce verification, role-based access controls, vulnerability scanners — provide no defence against this attack vector. The malicious code was signed by the legitimate vendor key, arrived via the expected update mechanism, and executed in the privileged context that all plugins run in. Perimeter controls saw a normal plugin update.
Detection requires either behavioural analysis (unusual outbound connections at plugin activation, unexpected admin account creation) or version auditing against a known-good hash of the plugin files. Security teams that rely solely on “has the site been scanned for known vulnerabilities” will not detect this.
Scope
Any WordPress or Joomla installation running Smart Slider 3 Pro that received the 3.5.1.35 update between 7–8 April 2026 should be treated as compromised. Sites using manual update workflows that have not yet applied any update since version 3.5.1.34 are not affected by this specific incident but remain on an older version.
Recommended Actions
- Immediately audit your Smart Slider 3 Pro version. If you are running 3.5.1.35, your site is compromised. Update to 3.5.1.36 (the clean replacement) immediately, but understand that updating alone does not remove the backdoor that has already been deployed.
- Conduct a full compromise assessment on affected sites. Check for newly created administrator accounts not corresponding to known staff. Search for PHP webshell files in the plugin directory and
wp-uploads. Review outbound HTTP requests in server logs from the time of the update. - Rotate all WordPress admin credentials and database passwords. The exfiltrated payload includes plaintext administrator credentials. Treat every credential on an affected site as compromised and rotate immediately.
- Disable automatic plugin updates for Pro/paid plugins. Paid plugin update infrastructure is outside the WordPress.org repository’s security review process. Consider requiring manual approval for updates to premium plugins, or use a staging environment to validate updates before production deployment.
- Review your web host’s file integrity monitoring. Many managed WordPress hosts offer file integrity monitoring that would have flagged new files appearing in the plugin directory at update time. Enable this if not already active.