{"id":45259,"date":"2026-04-10T01:15:47","date_gmt":"2026-04-09T17:15:47","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/10\/smart-slider-updates-hijacked-to-push-malicious-wordpress-joomla-versions\/"},"modified":"2026-04-10T01:15:47","modified_gmt":"2026-04-09T17:15:47","slug":"smart-slider-updates-hijacked-to-push-malicious-wordpress-joomla-versions","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/10\/smart-slider-updates-hijacked-to-push-malicious-wordpress-joomla-versions\/","title":{"rendered":"Smart Slider updates hijacked to push malicious WordPress, Joomla versions"},"content":{"rendered":"\n

\"Smart<\/p>\n

Hackers hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla, and pushed a malicious version with multiple backdoors.<\/p>\n

The developer says that only the Pro version 3.5.1.35 of the plugin is affected and recommends switching immediately to the latest version, currently 3.5.1.36, or 3.5.1.34 and earlier.<\/p>\n

Apart from installing backdoors in multiple locations, the malicious update created a hidden user with administrator permissions and stole sensitive data.<\/p>\n

Smart Slider 3 for WordPress is used on over 900,000 websites for responsive slider creation via a live slider editor, featuring a large selection of layouts and designs.<\/p>\n

According to the vendor, the threat actor distributed the malicious update on April 7, and some websites may have installed it.<\/p>\n

An analysis from PatchStack, a company focusing on securing WordPress and open-source software, notes that the malware is a fully featured, multi-layered toolkit embedded in the plugin’s main file while preserving Smart Slider’s normal functionality.<\/p>\n

The researchers noticed that the malicious kit allows a remote attacker to execute commands without authentication via crafted HTTP headers. It also includes a second authenticated backdoor with both PHP eval and OS command execution, and automated credential theft.<\/p>\n

The malware achieves persistence through multiple layers, one being the creation of a hidden admin account and storing credentials in the database.<\/p>\n

\n
\"Smart
Creating a hidden admin account<\/strong>
Source: PatchStack<\/em><\/figcaption><\/figure>\n<\/div>\n

Additionally, it creates a ‘mu-plugins’ directory and creates a must-use plugin with a file name that pretends to be a legitimate caching component.<\/p>\n

Must-use plugins are special in that they are loaded automatically, cannot be disabled from the WordPress dashboard, and are not visible in the plugins section.<\/p>\n

PatchStack notes that the malicious kit also plants a backdoor in the active theme’s functions.php<\/em> file, which allows it to persist for as long as the theme is active.<\/p>\n

Another persistence layer is injecting in the wp-includes<\/em> directory a a PHP file with a name that mimics a legitimate WordPress core class.<\/p>\n

“Unlike the other persistence layers, this backdoor does not depend on the WordPress database, but reads its authentication key from a .cache_key<\/code> file stored in the same directory,” PatchStack researchers explain<\/a>.<\/p>\n

As such, changing the database credentials does not neutralize the backdoor, which continues to work “even if WordPress fails to bootstrap fully.”<\/p>\n

The vendor issued a similar warning for Joomla installations<\/a>, saying that the malicious code present in version 3.5.1.35 of the plugin may create a hidden admin account (usually with the prefix wpsvc_<\/em>), install additional backdoors in the \/cache  and \/media directories, and steal site information and credentials.<\/p>\n

Recommended actions<\/h3>\n

The malicious update was distributed to users on April 7, but the Smart Slider team suggests April 5 as the safest date for backup restoration, to ensure time zone differences are accounted for in all cases.<\/p>\n

“A security breach affected the update system responsible for distributing Smart Slider 3 Pro for WordPress,” reads the vendor’s disclosure<\/a>.<\/p>\n

If no backup is available, it is recommended to remove the compromised plugin and install a clean version (3.5.1.36).<\/p>\n

Administrators who find the compromised plugin version should assume full site compromise and take the following action:<\/p>\n