A serious supply chain attack recently hit Smart Slider 3 Pro, a widely used plugin on WordPress and Joomla sites. Instead of exploiting a typical bug, attackers managed to compromise the official update system and distribute a malicious version of the plugin to unsuspecting users.

The compromised version, 3.5.1.35, was briefly available through the official update channel. During that short window, any site that updated the plugin unknowingly installed a backdoor that allowed remote code execution, hidden admin account creation, and data exfiltration. This means attackers could fully control affected websites without needing authentication.

What makes this incident particularly dangerous is that it didn’t rely on user mistakes or phishing. The malware came directly from a trusted update source, which normally acts as a secure distribution channel. In other words, even security-conscious admins who regularly update their plugins were at risk.

The malicious payload was designed for persistence. It could execute commands remotely, inject hidden users, and survive basic cleanup attempts. In many cases, infected sites should be treated as fully compromised, especially if they ran the affected version at any point.

A clean version, 3.5.1.36, has since been released, and the compromised update has been removed. However, updating alone is not enough for previously affected systems. Website owners should perform a full security audit, remove unauthorized accounts, and check for backdoors or suspicious files.

This incident highlights a growing risk in modern web security: supply chain attacks. Even trusted software updates can become attack vectors if the distribution infrastructure is compromised. For developers and site owners, it’s a reminder that security doesn’t stop at patching vulnerabilities, but also requires monitoring, validation, and layered defenses.

source: https://thehackernews.com/2026/04/backdoored-smart-slider-3-pro-update.html