Smart Slider 3 is a highly popular WordPress and Joomla slider plugin with over 800,000 active installations. On April 7, 2026, attackers compromised the plugin’s update system and released version 3.5.1.35, which contained a sophisticated remote access toolkit. This attack specifically targeted the Pro version; the free version remained safe. Any site that installed this version must be treated as fully compromised.
Severity: Critical
Incident Overview
- Targeted Software: Smart Slider 3 Pro (WordPress and Joomla editions).
- Compromised Version: 3.5.1.35.
- Attack Vector: Supply Chain Compromise via unauthorized access to Nextend’s update infrastructure.
- Exposure Window: The malicious version was distributed through official update channels for approximately 6 hours on April 7, 2026.
- Impact: Any site that updated during this window received a weaponized remote access toolkit, granting attackers full remote control.
Attack Kill Chain — 7 Stages
1. Infrastructure breach
Attacker gained unauthorized access to Nextend’s update server. Injected malicious code into the plugin’s main PHP file while preserving legitimate headers and bootstrap logic so the plugin continued to function normally.
2. Pre-auth remote code execution via HTTP headers
First block executes on every page load (including frontend). Checks for X-Cache-Status: nw9xQmK4 header; if present, base64-decodes X-Cache-Key header value and passes it directly to shell_exec(). No authentication required.
3. Authenticated PHP/shell backdoor
Registers on init hook behind secret key in _wpc_ak option. Activated by ?_chk= GET parameter. Supports PHP eval mode (m=php) and OS shell mode with 6-function fallback chain (shell_exec → exec → system → passthru → proc_open → popen).
4. Hidden administrator account creation
Creates rogue admin with username wpsvc_<4-char hash of site URL>, email kiziltxt2[@]gmail[.]com, display name “WordPress Service”. Hidden from Users screen using pre_user_query and views_users filter hooks that adjust both the list and the count badges.
5. Multi-layer persistence installation
Three redundant backdoor locations installed to survive plugin removal: (a) Must-Use plugin wp-content/mu-plugins/object-cache-helper.php (auto-loads, not visible in Plugins screen); (b) Active theme functions.php infection; (c) Core file drop wp-includes/class-wp-locale-helper.php with a filesystem-based auth key that survives DB credential changes.
6. Credential and option storage
Three wp_options entries store shared state with autoload disabled: _wpc_ak (auth key), _wpc_uid (hidden user ID), _wpc_uinfo (base64 JSON with plaintext username, password, email).
7. C2 registration and full exfiltration
POSTs a JSON beacon to https[:]//wpjs1[.]com/api/v3/register-agent with site URL, secret key, WP/PHP/SS3 versions, admin email, DB name, server software, and plaintext rogue admin credentials. sslverify: false ensures transmission even with invalid certificates.
Indicators Of Compromise
| Files: | Database entries (wp_options): | |
| wp-content/mu-plugins/object-cache-helper.php | _wpc_ak | |
| wp-content/mu-plugins/wp-performance-toolkit.php | _wpc_uid | |
| wp-includes/class-wp-locale-helper.php | _wpc_uinfo | |
| wp-includes/class-wp-locale-textdomain.php | _perf_toolkit_source | |
| wp-includes/.cache_key | wp_page_for_privacy_policy_cache | |
| wp-includes/.lc_messages | ||
| Modifications to the active theme’s functions.php (search for _wpc_ak) |
| Network indicators: | Rogue user account: | |
| Outbound HTTP POST to wpjs1.com | username starting with: wpsvc_ or wp_maint_ | |
| Inbound requests containing the X-Cache-Status: nw9xQmK4 header | email: kiziltxt2@gmail.com | |
| Inbound requests with the _chk GET parameter | Display name “WordPress Service” |
Recommendations
- Preferred: server rollback. Restore from a backup dated April 5, 2026 or earlier to fully eliminate all injected artifacts.
- Update to 3.5.1.36 immediately. Remove the entire plugin directory, reinstall clean version. Enable maintenance mode before cleanup.
- Eradicate all persistence layers. Delete all IOC files listed above. Remove rogue user accounts. Purge malicious wp_options entries from the database. Clean functions.php, wp-config.php, and .htaccess. Reinstall WP core, all plugins and themes from official sources.
- Rotate all credentials: WordPress salts/security keys, admin passwords, hosting panel, FTP/SSH, database password, linked email accounts.
- Harden and monitor: Enable 2FA for all admins. Review server access logs and admin login history for activity between April 7–9, 2026. Disable PHP execution in uploads. Reinstall and re-enable security plugins (verify they were not modified by the malware).
Source:
- https://patchstack.com/articles/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis/
- https://smartslider.helpscoutdocs.com/article/2143-joomla-security-advisory-smart-slider-3-pro-3-5-1-35-compromise
- https://smartslider.helpscoutdocs.com/article/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35-compromise
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.