Backdoored Smart Slider 3 Pro Update Distributed With Compromised Nextend Servers

IRavie LakshmananApril 10, 2026Malware / Website Security

Unknown malicious actors have hijacked the update system of the Smart Slider 3 Pro plugin for WordPress and Joomla to push a poisoned version containing a backdoor.

The incident affects Smart Slider 3 Pro version 3.5.1.35 for WordPress, according to WordPress security company Patchstack. Smart Slider 3 is a popular WordPress slider plugin with over 800,000 active installations across its free and Pro plans.

“An unauthorized group gained access to Nextend’s updated infrastructure and distributed a fully authorized attacker’s build through an official update channel,” the company said. “Any site that upgraded to 3.5.1.35 between its release on April 7, 2026, and its acquisition approximately 6 hours later received a fully equipped remote access toolkit.”

Nextend, which maintains the plugin, said an unauthorized group gained unauthorized access to its update system and pushed a malicious version (3.5.1.35 Pro) that remained accessible for about six hours, before it was discovered and pulled.

The trojanized update includes the ability to create rogue administrator accounts, as well as release background commands that issue remote system commands via HTTP headers and execute obfuscated PHP code via hidden request parameters. According to Patchstack, the malware comes with the following capabilities –

• Access pre-authorized remote code execution by using custom HTTP headers such as X-Cache-Status and X-Cache-Key, the latter of which contains the code passed to “shell_exec().”
• A backdoor that supports two execution modes, which allows an attacker to execute arbitrary PHP code and operating system commands on the server.
• Create a hidden administrator account (eg, “wpsvc_a3f1”) to gain continuous access and make it invisible to legitimate administrators by disabling the “pre_user_query” and “user_view” filters.
• Use three WordPress custom options set with the “autoload” setting disabled to reduce their visibility in dropping the option: _wpc_ak (secret authentication key), _wpc_uid (user ID of the hidden administrator account), and _wpc_uinfo (Base64-encoded JSON containing error-free username, email account).
• Apply persistence in three places for redundancy: create a plugin to be used with the file name “object-cache-helper.php” to make it look like an official part of the cache, put the backdoor component in the active theme file “functions.php”, and release the file called “class-wp-cache-helper.sphp-help” in the directory.
• Extract data containing the site URL, backdoor secret key, host name, Smart Slider 3 version, WordPress version, and PHP version, WordPress administrator email address, WordPress domain name, administrator account username and password, and a list of all persistence methods installed in the command and control domain (C2) “wpjs1[.]com.”

“The malware operates in several stages, each designed to ensure deep, persistent, and unwanted access to the compromised site,” Patchstack said.

“The complexity of the payload is remarkable: instead of a simple webshell, the attacker used a multi-layered persistence toolkit with several independent, redundant re-entry points, user masking, strong command execution through reverse chains, and automatic C2 registration with full evidence embedding.

It should be noted that the free version of the WordPress plugin is not affected. To contain the issue, Nextend shut down its update servers, removed the malicious version, and launched a full investigation into the incident.

Users with a trojanized version installed are advised to update to version 3.5.1.36. Furthermore, users who have installed the rogue version are advised to perform the following cleaning steps –

• Check for any suspicious or unknown administrator accounts and remove them.
• Uninstall Smart Slider 3 Pro version 3.5.1.35 if installed.
• Reinstall the clean version of the plugin.
• Delete all persistent files that allow the backdoor to run on the site.
• Remove malicious WordPress options from the “wp_options” table: _wpc_ak, _wpc_uid, _wpc_uinfo, _perf_toolkit_source, and wp_page_for_privacy_policy_cache.
• Clean up the “wp-config.php” file, including removing “define(‘WP_CACHE_SALT’, ‘‘);” if any.
• Delete the line “# WPCacheSalt ” from the “.htaccess” file located in the WordPress root folder.
• Reset the administrator and user passwords of the WordPress site.
• Change the FTP/SSH and hosting account details.
• Review the website and logs for any unauthorized changes and unusual POST requests.
• Enable two-factor authentication (2FA) for administrators and disable PHP functionality in the uploads folder.

“This incident is a chain of book-buying, the kind that makes standard defenses useless,” Patchstack said. “Standard firewall rules, default authentication, role-based access controls, none of them apply when malicious code is delivered through a trusted update channel. The plugin is malware.”