A critical supply-chain attack has been detected affecting the Smart Slider 3 Pro plugin, widely used on WordPress and Joomla platforms. Threat actors compromised the update infrastructure of Nextend, the plugin vendor, to distribute a malicious update—version 3.5.1.35—containing an unauthorized access mechanism (webshell).
With over 800,000 active installations, this incident presents a severe risk of widespread remote code execution (RCE). Defenders must assume that any system running this specific version is fully compromised and act immediately to identify the backdoor and restore integrity.
Incident Overview
What Happened: Unknown adversaries hijacked the distribution channel for Smart Slider 3 Pro. By poisoning the update mechanism, they tricked administrative panels into downloading and installing version 3.5.1.35, which ships with a built-in backdoor. This grants attackers persistent, unauthorized access to the underlying web server.
Why It Matters: Unlike typical plugin vulnerabilities requiring exploit attempts, this is a trusted update mechanism compromise. Standard Web Application Firewalls (WAF) may not block the download as it originates from a legitimate vendor API. Once installed, the backdoor allows attackers to bypass authentication, upload additional malware, or move laterally within the hosting environment.
Technical Analysis
- Affected Product: Smart Slider 3 Pro
- Affected Platforms: WordPress, Joomla
- Malicious Version: 3.5.1.35 (Do NOT install; remove immediately if present)
- Attack Vector: Supply Chain (Compromised Update Server)
- Threat Type: Webshell / Unauthorized Access Mechanism
Mechanism of Compromise: The update file for version 3.5.1.35 includes modified PHP code that facilitates unauthorized access. While the specific obfuscation may vary, the fundamental capability allows remote command execution via HTTP requests to the WordPress or Joomla installation.
Exploitation Status:
- Confirmed Active: Yes, distributed via official vendor channels.
- PoC Availability: N/A (Trusted channel abuse).
- CISA KEV: Not listed at the time of writing, but critical severity due to active supply chain weaponization.
Detection & Response
The following detection mechanisms are designed to identify the activity associated with the backdoored plugin and the post-exploitation behavior of the webshell.
SIGMA Rules
---
title: Potential Webshell Execution via Web Server Process
id: 8a4b1c92-5e6d-4f33-a9b0-1c2d3e4f5a6b
status: experimental
description: Detects web server processes spawning shells, a common indicator of webshell activity associated with the Smart Slider backdoor.
references:
- https://thehackernews.com/2026/04/backdoored-smart-slider-3-pro-update.html
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1190
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith:
- '/apache2'
- '/httpd'
- '/nginx'
- '/php-fpm'
Image|endswith:
- '/bash'
- '/sh'
- '/zsh'
- '/perl'
- '/python'
condition: selection
falsepositives:
- Legitimate administrative scripting by developers
level: high
---
title: Smart Slider 3 Pro Backdoor File Modification
id: 9b5c2d03-6f7e-0g44-b0c1-2d3e4f5a6b7c
status: experimental
description: Detects modifications to the core Smart Slider 3 Pro plugin file, specifically targeting the malicious update timeframe.
references:
- https://thehackernews.com/2026/04/backdoored-smart-slider-3-pro-update.html
author: Security Arsenal
date: 2026/04/06
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: file_event
product: linux
detection:
selection:
TargetFilename|contains: 'nextend-smart-slider3-pro'
TargetFilename|endswith: '.php'
condition: selection
falsepositives:
- Legitimate plugin updates by administrators
level: medium
KQL (Microsoft Sentinel)
// Hunt for suspicious processes spawned by web servers (Webshell activity)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~("apache2", "httpd", "nginx", "php-fpm")
| where FileName in~("sh", "bash", "perl", "python", "wget", "curl")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, CommandLine, AccountName
| order by Timestamp desc
// Hunt for file modifications in the Smart Slider directory
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath contains @"nextend-smart-slider3-pro"
| where ActionType == "FileModified" or ActionType == "FileCreated"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, SHA256
Velociraptor VQL
-- Hunt for the specific malicious version 3.5.1.35 in the plugin header
SELECT FullPath, Mtime, Atime, Size
FROM glob(globs='/*/wp-content/plugins/nextend-smart-slider3-pro/nextend-smart-slider3-pro.php')
WHERE
-- Read file content to check for the malicious version string
read_file(filename=FullPath) =~ "Version: 3.5.1.35"
OR
-- Also flag if the file was modified recently (last 7 days)
Mtime > now() - 86400 * 7
-- Hunt for common PHP webshell keywords in the Smart Slider directory
SELECT FullPath, Name
FROM glob(globs='/*/wp-content/plugins/nextend-smart-slider3-pro/**/*.php')
WHERE read_file(filename=FullPath) =~ "(eval\(|base64_decode|assert\(|system\(|passthru\(|shell_exec)"
Remediation Script (Bash)
This script scans the document root for the malicious version and suspicious code patterns within the Smart Slider plugin directory.
#!/bin/bash
# Security Arsenal - Smart Slider 3 Pro Remediation Script
# This script checks for the presence of the backdoored version 3.5.1.35
echo "[+] Scanning for Smart Slider 3 Pro version 3.5.1.35..."
# Define base paths (Adjust /var/www/html to your document root)
SEARCH_PATH="/var/www/html"
# Find the main plugin file and check version
find "$SEARCH_PATH" -type f -path "*nextend-smart-slider3-pro/nextend-smart-slider3-pro.php" -print0 | while IFS= read -r -d '' file; do
if grep -q "Version: 3.5.1.35" "$file"; then
echo "[!] ALERT: Malicious version 3.5.1.35 found at: $file"
echo "[!] Recommendation: Immediate removal of the plugin directory and restoration from clean backup."
# Optional: Quarantine (commented out for safety)
# mv "$(dirname "$file")" "$(dirname "$file").quarantined"
else
echo "[-] Clean or different version found at: $file"
fi
done
echo "[+] Scanning for common webshell patterns in Smart Slider directory..."
# Search for obfuscated PHP functions often used in backdoors within the specific plugin
find "$SEARCH_PATH" -type f -path "*nextend-smart-slider3-pro/*.php" -exec grep -l "eval\(\\\$_" {} \; 2>/dev/null | while read infected_file; do
echo "[!] SUSPICIOUS: Potential backdoor signature found in: $infected_file"
done
echo "[+] Scan complete."
Remediation
- Immediate Update: If version 3.5.1.35 is present, immediately update to the latest version released by Nextend. Verify the new version number from the official vendor changelog, ensuring it supersedes 3.5.1.35.
- Plugin Removal: If an update is not yet available, completely remove the
nextend-smart-slider3-prodirectory from yourwp-content/pluginsfolder to neutralize the threat immediately. - Credential Reset: Assume that administrative credentials (WordPress/Joomla admin, FTP, SSH, and database) have been compromised. Reset all passwords and enforce multi-factor authentication (MFA) where possible.
- Log Analysis: Review web server access logs (
access.log) for the timeframe the plugin was active. Look for suspicious POST requests to the plugin directory or requests containing base64-encoded strings. - Server Reimaging: In cases where deep system compromise is suspected (e.g., webserver history shows unknown binaries), revert to a known-good backup from a date prior to the installation of version 3.5.1.35.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.