Smart Slider 3 Pro update system compromised, backdoors pushed to 900K+ sites

Attackers compromised the update distribution system for Smart Slider 3 Pro, a popular WordPress and Joomla plugin, and used it to push a trojanized version (3.5.1.35) on April 7. The malicious update preserved normal plugin functionality while embedding a multi-layered backdoor toolkit that enabled unauthenticated remote command execution via crafted HTTP headers, PHP eval and OS command execution, and automated credential theft.

The malware established persistence through at least four mechanisms: creating a hidden administrator account, planting a must-use plugin disguised as a caching component (invisible in the WordPress dashboard), injecting code into the active theme’s functions.php, and dropping a standalone PHP backdoor in wp-includes that reads its auth key from a local file rather than the database - meaning credential rotation alone won’t neutralize it.

The vendor recommends restoring from backups dated April 5 or earlier. Sites that ran the compromised version should assume full compromise: remove all malicious artifacts, reinstall WordPress core and all plugins from clean sources, rotate every credential (database, FTP, SSH, hosting, email), regenerate WordPress salts, and scan for residual malware. Joomla installations face similar risks, with backdoors planted in /cache and /media directories.