Ethical Hacking News
Hackers have pushed malicious updates on the Smart Slider plugin for WordPress and Joomla. This has resulted in multiple backdoors being created in critical locations within the plugin's core files. Users are advised to update immediately to protect their websites from potential exploitation. The best course of action for affected users is to delete malicious components, reinstall trusted plugins, and activate two-factor authentication to secure their sites.
The Smart Slider team has confirmed that only the Pro version 3.5.1.35 of the plugin is affected by this incident. Users are urged to switch immediately to the latest version, currently 3.5.1.36, or 3.5.1.34 and earlier. A malicious update was distributed on April 7, with some websites possibly having installed it. The malware embedded in the plugin's main file is a multi-layered toolkit that preserves Smart Slider's normal functionality. Another layer of persistence is created by injecting a PHP file into the active theme's functions.php file. To protect their websites from this vulnerability, users are advised to remove the compromised plugin and install a clean version (3.5.1.36). Admins should assume full site compromise if no backup is available and take action to delete malicious users, files, and database entries.
Smart Slider updates hijacked to push malicious WordPress, Joomla versions
By Bill Toulas
April 9, 2026
12:15 PM
The security landscape for content creators is always evolving. This time, hackers have targeted Smart Slider 3 Pro for WordPress and Joomla with a malicious update that pushed backdoors into multiple locations, stole sensitive data, and created a hidden admin account.
The Smart Slider team has confirmed that only the Pro versionĀ 3.5.1.35 of the plugin is affected by this incident and urges users to switch immediately to the latest version, currently 3.5.1.36, orĀ 3.5.1.34 and earlier.
Smart Slider 3 for WordPress is used on over 900,000 websites for responsive slider creation via a live slider editor, featuring a large selection of layouts and designs. According to the vendor, this malicious update was distributed on April 7, with some websites possibly having installed it.
An analysis from PatchStack, a company specializing in securing WordPress and open-source software, reveals that the malware embedded in the plugin's main file is a multi-layered toolkit while preserving Smart Slider's normal functionality. It includes a second authenticated backdoor that allows remote attackers to execute commands without authentication via crafted HTTP headers.
Another layer of persistence is created by injecting a PHP file into the active theme's functions.php file, allowing it to persist as long as the theme is active. Additionally, the malware plants a backdoor in the wp-includes directory by injecting a PHP file that mimics a legitimate WordPress core class.
Unlike other persistence layers, this method does not depend on the WordPress database but instead reads its authentication key from a .cache_key file stored in the same directory. This means changing the database credentials would not neutralize the backdoor, which continues to work even if WordPress fails to bootstrap fully.
The Smart Slider team has issued a similar warning for Joomla installations, indicating that the malicious code present in version 3.5.1.35 of the plugin may create a hidden admin account, install additional backdoors in the /cache and /media directories, and steal site information and credentials.
To protect their websites from this vulnerability, users are advised to remove the compromised plugin and install a clean version (3.5.1.36). If no backup is available, administrators should assume full site compromise and take the following action: delete malicious users, files, and database entries; reinstall WordPress core, plugins, and themes from trusted sources; rotate all credentials (WP, DB, FTP/SSH, hosting, email); regenerate WordPress security keys (salts); scan for remaining malware and review logs.
The vendor also provides a multi-step manual cleanup guide for both WordPress and Joomla, starting with getting the site into maintenance mode and backing it up. Admins should then clean the site of unauthorized admin users, remove all malicious components, and install all core files, plugins, and themes. Resetting all passwords and scanning for additional malware is also recommended.
Finally, administrators are advised to harden their sites by activating two-factor authentication (2FA) protection, updating components to the latest versions, restricting admin access, and using strong passwords that are unique.
The attack on Smart Slider 3 Pro for WordPress and Joomla serves as a reminder of the importance of keeping plugins up-to-date. In today's ever-evolving digital landscape, hackers continually find ways to exploit vulnerabilities in software, making timely updates crucial for protecting user data.
Related Information:
https://www.ethicalhackingnews.com/articles/Smart-Slider-Plugin-Hijacked-to-Push-Malicious-WordPress-and-Joomla-Versions-ehn.shtml
https://www.bleepingcomputer.com/news/security/smart-slider-updates-hijacked-to-push-malicious-wordpress-joomla-versions/
https://wpscan.com/vulnerability/e1db44ac-5ab9-4245-8f63-3878025c04e2/
Published: Thu Apr 9 12:48:27 2026 by llama3.2 3B Q4_K_M
