Unknown actors hijacked Nextend’s update infrastructure to push a trojanized Smart Slider 3 Pro v3.5.1.35 that delivered a multi-stage backdoor through the official update channel. The malicious build enabled pre-auth remote code execution, hidden admin creation, multi-location persistence, and credential exfiltration to a C2 domain before Nextend removed the update and urged users to upgrade and clean compromised sites. #SmartSlider3 #Nextend
Keypoints
- Unknown actors compromised Nextend’s update system to distribute Smart Slider 3 Pro v3.5.1.35.
- The trojanized update enables pre-auth remote code execution via custom HTTP headers and arbitrary PHP execution.
- The backdoor creates hidden administrator accounts and installs redundant persistence in a must-use plugin, theme functions.php, and wp-includes.
- Compromised sites exfiltrate credentials and site metadata to the C2 domain wpjs1.com.
- Nextend removed the malicious build and advised updating to v3.5.1.36 and following cleanup steps including removing persistence, deleting malicious options, and resetting credentials.
Read More: https://thehackernews.com/2026/04/backdoored-smart-slider-3-pro-update.html