Unknown threat actors have hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla to push a poisoned version containing a backdoor.
The incident impacts Smart Slider 3 Pro version 3.5.1.35 for WordPress, per WordPress security company Patchstack. Smart Slider 3 is a popular WordPress slider plugin with more than 800,000 active installations across its free and Pro editions.
“An unauthorized party gained access to Nextend’s update infrastructure and distributed a fully attacker-authored build through the official update channel,” the company said. “Any site that updated to 3.5.1.35 between its release on April 7, 2026, and its detection approximately 6 hours later received a fully weaponized remote access toolkit.”
Nextend, which maintains the plugin, said an unauthorized party gained unauthorized access to its update system and pushed a malicious version (3.5.1.35 Pro) that remained accessible for approximately six hours, before it was detected and pulled.
The trojanized update includes the ability to create rogue administrator accounts, as well as drop backdoors that execute system commands remotely via HTTP headers and run arbitrary PHP code via hidden request parameters. According to Patchstack, the malware comes with the following capabilities –
- Achieve pre-authenticated remote code execution via custom HTTP headers like X-Cache-Status and X-Cache-Key, the latter of which contains the code that’s passed to “shell_exec().”
- A backdoor that supports dual execution modes, enabling the attacker to execute arbitrary PHP code and operating system commands on the server.
- Create a hidden administrator account (e.g., “wpsvc_a3f1”) for persistent access and make it invisible to legitimate administrators by tampering with the “pre_user_query” and “views_users” filters.
- Use three custom WordPress options that are set with the “autoload” setting disabled to reduce their visibility in option dumps: _wpc_ak (a secret authentication key), _wpc_uid (user ID of the hidden administrator account), and _wpc_uinfo (Base64-encoded JSON containing the plaintext username, password, and email of the rogue account).
- Install persistence in three locations for redundancy: create a must-use plugin with the filename “object-cache-helper.php” to make it look like a legitimate caching component, append the backdoor component to the active theme’s “functions.php” file, and drop a file named “class-wp-locale-helper.php” in the WordPress “wp-includes” directory.
- Exfiltrate data containing site URL, secret backdoor key, hostname, Smart Slider 3 version, WordPress version, and PHP version, WordPress admin email address, WordPress database name, plaintext username and password of the administrator account, and a list of all installed persistence methods to the command-and-control (C2) domain “wpjs1[.]com.”
“The malware operates in several stages, each designed to…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
