Smart Slider updates hijacked to push malicious WordPress and Joomla versions

Smart Slider Updates Hijacked to Push Malicious WordPress, Joomla Versions

1. Overview

• A security incident involved the update mechanism for Smart Slider 3 Pro, impacting WordPress and Joomla installations.
• The attacker distributed a malicious version of the Pro plugin, injecting a multi-layered toolkit while preserving the slider’s normal functionality.
• The incident was linked to the Pro version 3.5.1.35; remediation guidance centers on upgrading to 3.5.1.36 or reverting to 3.5.1.34 or earlier.
• The compromise includes backdoors, hidden administrative access, credential theft, and multiple persistence methods designed to endure across reboots and rebuilds.

1. Affected Versions and Scope

• WordPress: Smart Slider 3 Pro, version 3.5.1.35 was compromised. Updated versions 3.5.1.36 and 3.5.1.34 (and earlier) were identified as safe alternatives.
• Joomla: Similar compromise reported for Smart Slider 3 Pro 3.5.1.35, with malicious code present in that release.
• Reach: Smart Slider 3 for WordPress is installed on a substantial number of sites, with estimates indicating more than 900,000 sites utilize the plugin for responsive slider features and live editing capabilities.
• Distribution date: The malicious update reportedly began circulating on April 7, with some sites potentially installing it already.
• Backup timing note: Vendor advisories suggest April 5 as a reference point for backup restoration discussions due to potential time zone differences.

1. How the Attack Was Carried Out (Technical Execution)

• The malicious update is embedded within the plugin’s main file, designed to appear as a legitimate update while delivering a fully featured toolkit of malicious capabilities.
• Remote command execution without authentication became possible through crafted HTTP headers, enabling an attacker to run arbitrary commands on compromised sites.
• A secondary authenticated backdoor exists, featuring PHP eval and OS command execution, coupled with automated credential theft mechanisms.
• The attacker maintained persistence by layering multiple backdoors and entry points, enabling continued access even if some defenses were restored.

1. Persistence Mechanisms and Stealth Techniques

• Hidden administrative user: The malware creates a covert admin account, often with a prefix such as wpsvc_, which operates with administrator privileges.
• Must-use (mu-plugins) persistence: A must-use plugin is created in a mu-plugins directory, designed to load automatically and remain invisible in standard plugin lists, complicating detection and removal.
• Theme-level backdoors: A backdoor is planted in the active theme’s functions.php file, providing a long-lived foothold as long as the theme remains active.
• Core-file deception within wp-includes: A PHP file is inserted into the wp-includes directory, mimicking a legitimate WordPress core class. This backdoor is notable for its independence from the WordPress database, relying instead on a cached key for authentication.
• Cachekey dependency: The authentication mechanism reads a value from a .cachekey file in the same directory, making some traditional credential changes ineffective at neutralizing that backdoor.

1. Indicators of Compromise (IoCs)

• Unauthorized admin accounts: Presence of hidden administrator accounts with unusual prefixes in the users table.
• New or modified files: Malicious files added to mu-plugins directories and to the theme’s functions.php.
• Directory and file changes: Backdoors placed under /cache and /media directories, as well as stray PHP files in wp-includes.
• Database-agnostic persistence: A backdoor that reads authentication materials from a local cache file rather than relying on database-stored credentials.
• Second backdoor channel: An authenticated backdoor enabling PHP evaluation and OS command execution, functioning even if other components are restored.

1. Platform-Specific Observations

• WordPress ecosystem: The vast ecosystem of WordPress plugins and themes can amplify the impact when a trusted plugin’s update is compromised, enabling rapid propagation across sites.
• Joomla ecosystem: Similar risks exist when a component integrates with Joomla, as attackers leverage shared supply-chain strategies to embed backdoors and data-stealing capabilities.

1. Attack Characteristics and Adversarial Techniques

• Multi-layered toolkit: The malicious update includes a fully featured toolkit designed to operate covertly within the host, maintaining functionality while enabling malicious actions.
• Command execution and data theft: The threat enables remote command execution, credential harvesting, and potential exfiltration of sensitive data.
• Persistence without database reliance: By embedding backdoors in core-like and theme-related files, the attacker reduces reliance on database integrity, increasing resilience to certain restoration efforts.

1. Context and Related Observations

• Supply-chain-style compromise: The incident is consistent with broader trends where software update mechanisms are abused to deliver malware, highlighting the importance of component integrity and supply-chain security.
• Cross-platform implications: The convergence of WordPress and Joomla in a single campaign underscores the value of monitoring update channels and plugin integrity across content management systems.
• Security posture implications: The presence of hidden admin accounts and must-use plugins demonstrates how attackers blend into the legitimate administration environment, evading typical visibility checks.

1. Timeline and Key Dates

• Early backup reference: April 5 served as a reference point in advisories for safe restoration planning, accounting for time zone variations.
• Distribution event: The malicious update was distributed on or around April 7, 2026.
• Affected versions: 3.5.1.35 identified as the compromised release for both WordPress and Joomla variants, with 3.5.1.36 and 3.5.1.34 (and earlier) cited as potential safe alternatives.

1. Summary of Impact

• The attack demonstrates how trusted plugins can become a vector for multi-layered compromises, affecting both WordPress and Joomla sites.
• The blend of hidden admin accounts, must-use plugins, and theme-level backdoors illustrates the depth of persistence attackers can achieve within a compromised site.
• The combination of core-file masquerading and cache-key-based authentication bypasses common mitigation approaches, complicating detection and remediation efforts.

1. Contextual Notes and Public Communications

• Vendor advisories emphasize that compromised updates can affect large swaths of sites and that remediation requires careful asset verification, integrity checks, and attention to persistence mechanisms described above.
• The incident highlights ongoing concerns about supply-chain security in widely used web platforms and the critical importance of monitoring plugin updates and file integrity across administration dashboards.