Unknown threat actors have hijacked the update system for the Smart Slider 3 Pro plugin for WordPress, distributing a backdoored version to thousands of websites through compromised Nextend update servers in a sophisticated supply chain attack.<\/p>\n
Smart Slider 3 Pro, installed on over 900,000 WordPress websites, received a malicious update that included a PHP web shell disguised within legitimate plugin code. The backdoor provided attackers with persistent remote access to all affected WordPress installations.<\/p>\n
The backdoored update contained:<\/p>\n
includes\/modules\/slide\/types\/image\/image.php<\/code><\/li>\n- Base64-encoded payload that decoded to a fully functional remote access tool<\/li>\n
- Legitimate plugin functionality preserved to avoid detection<\/li>\n
- C2 communication via encrypted HTTPS to attacker infrastructure<\/li>\n<\/ul>\n
Impact Assessment<\/h2>\n
Severity: Critical<\/strong><\/p>\nAny WordPress site that auto-updated Smart Slider 3 Pro between the compromise window is potentially backdoored. Attackers have full administrative access to affected sites including database access, file system control, and ability to create admin accounts.<\/p>\n
Recommended Actions<\/h2>\n\n- Immediately check your Smart Slider 3 Pro version and update to the clean release<\/li>\n
- Scan your site with Wordfence or Sucuri for web shell indicators<\/li>\n
- Review server access logs for suspicious POST requests<\/li>\n
- Reset all WordPress admin passwords and API keys<\/li>\n
- Consider a full site restore from a known-clean backup<\/li>\n<\/ol>\n
Written by Tarang Parmar (CEH) \u2014 TheCyberSecurity.Network. Read time: 3 min.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"Unknown threat actors hijacked the update system for Smart Slider 3 Pro plugin, distributing a backdoored version to thousands of WordPress sites.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[44],"tags":[21,37,22,20,19],"class_list":["post-98","post","type-post","status-publish","format-standard","hentry","category-supply-chain","tag-backdoor","tag-critical","tag-nextend","tag-supplychain","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/posts\/98","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/comments?post=98"}],"version-history":[{"count":1,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/posts\/98\/revisions"}],"predecessor-version":[{"id":106,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/posts\/98\/revisions\/106"}],"wp:attachment":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/media?parent=98"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/categories?post=98"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/tags?post=98"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}