Smart Slider 3 Pro security alert compromised the supply chain and exposed thousands of sites

A group of attackers managed to take control of the Smart Slider 3 Pro update system - the popular plugin to create responsive WordPress and Joomla leaders - and distributed a malicious version that introduced multiple back doors to the sites that installed it. The problem specifically affected the Pro version 3.5.1.35, and the developer recommends to immediately update to the clean version 3.5.1.36 or restore to any version before the 3.5.1.35.

Smart Slider 3 for WordPress is present in hundreds of thousands of pages - the official plugin tab in the WordPress repository reflects its wide adoption - making this incident a classic example of supply chain attack: compromise a very widespread component to reach a large surface of targets. When a plugin with so much active installation is compromised, the risk to the public website is significant. You can see the plugin information on WordPress.org Here..

Forensic analysis by PatchStack, a security-specialized firm for WordPress and open software, describes the threat as a "complete and layer malware tool" that was embedded in the main plugin file without breaking the legitimate slider functionality. This means that, in plain sight, the plugin could continue to work and the administrator would not notice functional anomalies while the attacker maintained persistent access.

Among the malicious capabilities detected are remote execution of unauthenticated commands by manipulated HTTP headers, an additional back door that allows you to run PHP (eval) and system commands with authentication, and automated procedures to steal credentials. To ensure persistence, the attackers were not limited to a single vector: they created a hidden administrative account (with a name pattern that usually starts with "wpsvc _"), added a "must-use" plugin in the mu-plugins directory (which automatically loads and cannot be deactivated from the panel), injected malicious code into the active theme function file, placed files in wp-including that mimic classes of the WordPress kernel and saved an authentication key in a .cache _ key file. An important consequence is that some of these backdoors work even if the database credentials are changed., because they read your authentication key from that disk file, as explained in PatchStack's report.

Smart Slider's team confirmed that the malicious update was distributed on April 7, and advises that, in case of backup restoration, it is safe to return to a state prior to April 5 to cover any time lag. The supplier published their ads and recovery guides for WordPress and Joomla; you can consult them in the official Smart Slider documentation: WordPress notice and notice for Joomla.

If you have sites that use Smart Slider 3 Pro, take the worst if you found the compromised version: must be taken for granted a possible complete take of the site. The manufacturer and researchers recommend comprehensive measures: remove suspicious administrative users, delete malicious database files and entries, reinstall WordPress / joomla core, plugins and topics from clean sources, and rotate all credentials (administrative, database, FTP / SSH, hosting and post panel). They also suggest regenerating WordPress security keys and reviewing logs and scans to detect malware remains.

In addition to immediate cleaning, it is key to tighten the platform to reduce the likelihood of reinfections: to activate the authentication of two factors for administrative accounts, to limit access to the panel (e.g. by IP or by more restrictive roles), to impose unique and robust passwords, to keep all components always up to date and to use detection and response tools for web environments. If you do not have pre-date backup, the recommendation is to remove the affected plugin and reinstall the secure version 3.5.1.36 from the official source.

Detecting the intrusion may require specific search: check if there are users with unusual prefixes (such as wpsvc _), new mu-plugins directories or foreign files in / wp-include, .cache _ key files, and unusual entries in database tables. Scans with specialized tools and manual review of files and records deliver better guarantee than relying only on an automatic scanning. If you find it complex, hiring an incident response service or a WordPress security consultant is a prudent investment.

This incident is a reminder that web security depends on both the integrity of third-party components and the good practices of the administrator. The attacks on the supply chain are particularly dangerous because they exploit the confidence and reach of very popular components, therefore it is essential to combine regular backup, file integrity controls, and strict update and access policies.

If you want, I can prepare a detailed list of specific checks for your site (commands to search for suspicious files and entries, user name patterns to review, or steps to regenerate WordPress keys), or advise you on recommended cleaning and monitoring services and tools.