Attackers hijacked the update system for Smart Slider 3 Pro and pushed a malicious version (3.5.1.35) that installed multiple backdoors, created a hidden administrator account, and exfiltrated site credentials. PatchStack analysis shows the toolkit is multi-layered and persistent—using mu-plugins, theme and core file implants, and a database-independent loader—so affected WordPress and Joomla sites should restore a clean backup or immediately update to 3.5.1.36 and follow full cleanup procedures. #SmartSlider3 #PatchStack #WordPress #Joomla
Keypoints
- The malicious update targeted Smart Slider 3 Pro version 3.5.1.35 distributed on April 7 and may have been installed by some sites.
- It installed multiple persistence layers including a hidden admin user, a mu-plugins must-use file, modifications to the active theme’s functions.php, and a wp-includes backdoor with its own .cache_key.
- The toolkit enables unauthenticated remote command execution via crafted HTTP headers plus a second authenticated backdoor with PHP eval, OS command execution, and automated credential theft.
- Smart Slider 3 is used on over 900,000 WordPress sites, amplifying the potential impact of the compromise.
- Administrators should assume full compromise: restore a backup from April 5 or earlier or install 3.5.1.36, remove malicious users/files, rotate all credentials, reinstall core components, and harden access (2FA, restricted admin accounts).