Smart Slider 3 Pro Update System Compromised in Supply Chain Attack
Cybercriminals successfully infiltrated the update infrastructure for Smart Slider 3 Pro, a popular WordPress and Joomla plugin, on April 8, 2026. The attackers gained unauthorized access to the plugin's distribution servers and pushed a weaponized version containing multiple backdoors to websites running the software. The malicious update was distributed through the plugin's automatic update mechanism, affecting installations that had enabled auto-updates.
Smart Slider 3 Pro, developed by Nextend, is a premium slideshow and content presentation plugin used by over one million websites worldwide. The plugin allows users to create responsive sliders, carousels, and hero sections with drag-and-drop functionality. The compromised version, identified as build 3.5.1.15, contained obfuscated PHP code designed to establish persistent access to affected websites.
The supply chain attack represents a sophisticated breach of the plugin's code signing and distribution infrastructure. Security researchers analyzing the malicious payload discovered that the backdoors were carefully integrated into legitimate plugin files, making detection difficult through standard security scans. The attackers embedded the malicious code within existing functions, disguising it as routine plugin operations while maintaining full functionality of the original software.
Nextend's security team detected the compromise approximately 18 hours after the malicious update began distribution. The company immediately revoked the compromised build and pushed a clean emergency update to all affected installations. However, the delay allowed the malicious version to reach thousands of websites before containment measures took effect. The attack vector appears to have involved compromised developer credentials or exploitation of vulnerabilities in the plugin's build and deployment pipeline.
WordPress and Joomla Sites Running Smart Slider 3 Pro at Risk
The supply chain attack primarily affects websites running Smart Slider 3 Pro versions that received the malicious 3.5.1.15 update between April 8 and April 9, 2026. WordPress installations with automatic updates enabled were most vulnerable, as the compromised version was distributed through the plugin's standard update mechanism. Joomla sites using the plugin faced similar exposure, though the attack vector varied slightly due to differences in the content management systems' update architectures.
Website administrators running shared hosting environments face heightened risk, as the backdoors could potentially provide attackers with access to multiple sites hosted on the same server. E-commerce websites using Smart Slider 3 Pro for product showcases and promotional content are particularly vulnerable, as the backdoors could facilitate data theft, payment card skimming, or unauthorized administrative access. Corporate websites utilizing the plugin for marketing presentations and client portfolios also face significant security exposure.
The malicious update affected both free and premium license holders, though premium users with active support contracts received faster notification and remediation guidance. Websites that disabled automatic updates or maintained strict change management procedures avoided the initial compromise but remain vulnerable if administrators manually applied the malicious update. Security researchers estimate that between 50,000 and 100,000 websites may have received the compromised version before its removal.
Multiple Backdoors Deployed Through Compromised Plugin Update
The malicious Smart Slider 3 Pro update contained three distinct backdoors designed to provide persistent access and data exfiltration capabilities. The primary backdoor, embedded within the plugin's core rendering engine, established a web shell accessible through specially crafted HTTP requests. This backdoor allowed attackers to execute arbitrary PHP code, upload additional malware, and access sensitive website files including configuration databases and user credentials.
A secondary backdoor focused on WordPress-specific functionality, hooking into the content management system's user authentication mechanisms. This component could create hidden administrative accounts, modify existing user permissions, and bypass security plugins that monitor login attempts. The third backdoor targeted database operations, logging sensitive information including user passwords, payment details, and personal data to external command-and-control servers.
Website administrators should immediately check their Smart Slider 3 Pro version and update to the latest clean release. Sites running version 3.5.1.15 should be considered compromised and require comprehensive security auditing. Administrators should review web server logs for suspicious HTTP requests, examine database records for unauthorized user accounts, and scan for additional malware that may have been deployed through the backdoors. CISA's Known Exploited Vulnerabilities catalog provides guidance on supply chain attack response procedures.
Nextend has released version 3.5.1.16 as an emergency security update that removes all malicious code and implements additional integrity checks. The company recommends that affected users change all administrative passwords, review user accounts for unauthorized additions, and implement additional security monitoring. Organizations should also consider temporarily disabling the plugin until comprehensive security audits can be completed to ensure no residual compromise remains.
