Hackers have compromised the update system of the Smart Slider 3 Pro plugin for WordPress and Joomla, pushing a malicious update that installs multiple backdoors on affected websites.
The developer confirmed that only version 3.5.1.35 is impacted and is urging users to immediately switch to version 3.5.1.36 or revert to 3.5.1.34 and earlier.
The plugin, used on more than 900000 websites, continued to function normally even after infection, making the attack harder to detect. Behind the scenes, the malicious version added hidden administrator accounts, stole sensitive data, and opened several access points for attackers.
Security researchers found that the malware is a complex toolkit embedded within the plugin’s main file. It allows attackers to execute commands remotely without authentication through specially crafted HTTP headers. It also includes another backdoor that enables command execution and automated credential theft once access is gained.
To maintain long-term access, the malware creates multiple persistence layers. It sets up a hidden admin user, stores credentials in the database, and installs a disguised must-use plugin that cannot be disabled from the WordPress dashboard. It also injects malicious code into the active theme’s functions file and places a fake core file inside the WordPress system directories.
One of the more advanced backdoors does not rely on the database at all. Instead, it reads an authentication key from a hidden file, allowing it to continue working even if WordPress is partially broken or database credentials are changed.
The malicious update was distributed on April 7, and the Smart Slider team recommends restoring backups from April 5 to stay safe across time zones. If no backup is available, site owners should remove the compromised plugin and install a clean version immediately.
Administrators who used the affected version should assume their site has been fully compromised. They are advised to remove all suspicious users and files, reinstall WordPress core, plugins, and themes from trusted sources, and rotate all credentials, including database, hosting, and email access. Resetting WordPress security keys and scanning for leftover malware is also essential.
Additional steps include enabling two-factor authentication, keeping all components updated, limiting admin access, and using strong, unique passwords to reduce the risk of future attacks.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
