Unknown threat actors have hijacked the update system for the Smart Slider 3 Pro plugin for WordPress, distributing a backdoored version to thousands of websites through compromised Nextend update servers in a sophisticated supply chain attack.
Overview
Smart Slider 3 Pro, installed on over 900,000 WordPress websites, received a malicious update that included a PHP web shell disguised within legitimate plugin code. The backdoor provided attackers with persistent remote access to all affected WordPress installations.
Technical Details
The backdoored update contained:
- Obfuscated PHP web shell in
includes/modules/slide/types/image/image.php - Base64-encoded payload that decoded to a fully functional remote access tool
- Legitimate plugin functionality preserved to avoid detection
- C2 communication via encrypted HTTPS to attacker infrastructure
Impact Assessment
Severity: Critical
Any WordPress site that auto-updated Smart Slider 3 Pro between the compromise window is potentially backdoored. Attackers have full administrative access to affected sites including database access, file system control, and ability to create admin accounts.
Recommended Actions
- Immediately check your Smart Slider 3 Pro version and update to the clean release
- Scan your site with Wordfence or Sucuri for web shell indicators
- Review server access logs for suspicious POST requests
- Reset all WordPress admin passwords and API keys
- Consider a full site restore from a known-clean backup
Written by Tarang Parmar (CEH) — TheCyberSecurity.Network. Read time: 3 min.