Smart Slider Updates Hijacked to Push Malicious WordPress, Joomla Versions

Supply‑chain attacks on content‑management systems have surged as threat actors target the trusted update channels that power millions of sites. By compromising the Smart Slider 3 Pro update server, attackers injected a sophisticated toolkit that bypasses typical WordPress defenses, illustrating how a single compromised plugin can become a gateway to entire web ecosystems. This incident underscores the need for developers to secure their distribution pipelines with code signing, integrity checks, and multi‑factor controls, while users must adopt strict verification practices before applying updates.

The malicious Smart Slider payload is notable for its depth of persistence. It creates a hidden administrator account, drops a mu‑plugin that loads automatically, modifies the active theme’s functions.php, and plants a fake core class file that reads authentication keys from a hidden cache file. These layers ensure the backdoor survives password changes, database resets, and even partial site failures. Once active, the kit enables unauthenticated command execution via crafted HTTP headers and provides a secondary PHP‑eval backdoor for credential theft, giving attackers full server control and the ability to exfiltrate sensitive data.

For site owners, the immediate response is to revert to a clean version—either 3.5.1.34 or the patched 3.5.1.36—and conduct a comprehensive cleanup: delete rogue users and files, reinstall core components, rotate all passwords, and regenerate WordPress salts. Long‑term defenses include enabling two‑factor authentication, restricting admin access, employing security plugins that monitor file integrity, and regularly backing up sites to a known good state. The Smart Slider breach serves as a cautionary tale that even widely adopted, reputable plugins can become attack vectors, reinforcing the importance of a layered security posture across the WordPress and Joomla landscapes.