Smart Slider updates hijacked to push malicious WordPress, Joomla versions

Source: Bleeping Computer

Incident summary

Hackers hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla, pushing a malicious version with multiple backdoors.

The developer says that only the Pro version 3.5.1.35 is affected and recommends switching immediately to the latest version (currently 3.5.1.36) or to 3.5.1.34 and earlier.

Malicious update behavior

• Installs backdoors in several locations.
• Creates a hidden user with administrator permissions.
• Steals sensitive data.

Smart Slider 3 for WordPress is used on over 900,000 websites for responsive slider creation via a live slider editor, featuring a large selection of layouts and designs.

According to the vendor, the threat actor distributed the malicious update on April 7, and some websites may have installed it.

PatchStack’s analysis notes that the malware is a fully‑featured, multi‑layered toolkit embedded in the plugin’s main file while preserving Smart Slider’s normal functionality. Highlights include:

• Remote command execution via crafted HTTP headers (no authentication required).
• A second authenticated backdoor with PHP eval and OS command execution, plus automated credential theft.
• Persistence through multiple layers:
  • Creation of a hidden admin account and storage of credentials in the database.
  • Creation of a mu-plugins directory with a must‑use plugin masquerading as a legitimate caching component.
  • Injection of a backdoor into the active theme’s functions.php.
  • Placement of a PHP file in wp‑includes that mimics a core WordPress class and reads its authentication key from a .cache_key file, allowing it to survive database credential changes.

Creating a hidden admin account – Source: PatchStack

The vendor also issued a warning for Joomla installations, stating that the malicious code in version 3.5.1.35 may create a hidden admin account (usually with the prefix wpsvc_), install additional backdoors in the /cache and /media directories, and steal site information and credentials.
Smart Slider Joomla security advisory (3.5.1.35 compromise)

Recommended actions

• The malicious update was distributed on April 7. The Smart Slider team suggests using April 5 as the safest date for backup restoration to account for time‑zone differences.
• If a clean backup is unavailable, remove the compromised plugin and install a clean version (3.5.1.36).

Immediate remediation steps

1. Delete malicious users, files, and database entries.
2. Reinstall WordPress core, plugins, and themes from trusted sources.
3. Rotate all credentials (WordPress, database, FTP/SSH, hosting, email).
4. Regenerate WordPress security keys (salts).
5. Scan for remaining malware and review logs.

The vendor provides a multi‑step manual cleanup guide for WordPress and Joomla, beginning with placing the site in maintenance mode and backing it up. Afterward, administrators should:

• Remove unauthorized admin users.
• Delete all malicious components.
• Install fresh core files, plugins, and themes.
• Reset all passwords.
• Perform a thorough malware scan.

Hardening recommendations

• Activate two‑factor authentication (2FA).
• Keep all components updated to the latest versions.
• Restrict admin access to trusted IPs or users.
• Use strong, unique passwords for every account.

Automated Pentesting Covers Only 1 of 6 Surfaces

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other. This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.