Attackers compromised the update infrastructure belonging to Nextend, the developer of the Smart Slider 3 WordPress plugin, and used it to push a fully weaponized build to sites running the Pro edition. The trojanized version 3.5.1.35 was distributed through the official update channel on April 7, 2026, and remained live for approximately six hours before detection.
Smart Slider 3 has over 800,000 active installations across its free and Pro editions. Only the Pro version, which uses Nextend’s proprietary update server, was affected — the free version distributed through the WordPress.org plugin repository was not compromised.
What Happened
An unauthorized party gained access to Nextend’s update distribution infrastructure — not the plugin source code repository, but the servers that deliver builds to Pro license holders. The attacker replaced the legitimate 3.5.1.35 release with a fully attacker-authored package containing a multi-stage remote access toolkit.
Any site that auto-updated or manually updated to 3.5.1.35 during the six-hour window received the malicious build. The compromise was identified and the update pulled, but the damage window was significant given the plugin’s install base.
Technical Details
The payload was not a simple webshell. The attacker deployed a sophisticated, multi-layered persistence toolkit with several independent capabilities:
Rogue Administrator Creation: The backdoor creates hidden administrator accounts on the compromised WordPress instance, providing the attacker with legitimate login access that survives password resets on existing accounts.
Remote Command Execution via HTTP Headers: Backdoor endpoints accept system commands delivered through HTTP request headers, allowing the attacker to execute arbitrary commands on the underlying server without authenticating to WordPress at all.
Multi-Point Persistence: Rather than relying on a single backdoor, the toolkit installs several independent, redundant re-entry points. If one is discovered and removed, others remain active. The malware also implements user concealment to hide the rogue admin accounts from the WordPress dashboard.
Full Credential Exfiltration: On installation, the malware phones home to the C2 domain wpjs1[.]com with a comprehensive data package including the site URL, a secret backdoor key, hostname, Smart Slider 3 version, WordPress and PHP versions, the WordPress admin email, the database name, plaintext administrator credentials, and a manifest of all installed persistence methods.
The exfiltration of plaintext admin credentials is particularly damaging — even if the backdoor is fully cleaned, stolen credentials can be used to re-compromise the site if passwords are not rotated.
Who is Affected
Sites running Smart Slider 3 Pro that updated to version 3.5.1.35 between April 7 and the detection window approximately six hours later. The free edition of Smart Slider 3 was not affected.
Joomla versions of the plugin were also targeted through the same compromised update channel.
What to Do Right Now
1. Check Your Version: If you’re running Smart Slider 3 Pro, verify your installed version. If it’s 3.5.1.35 and was updated during the April 7 window, assume compromise.
2. Restore from Backup: Nextend recommends restoring from a backup dated April 5 or earlier (the two-day buffer accounts for timezone differences in update distribution). A clean reinstall of the plugin is not sufficient — the malware installs persistence outside the plugin directory.
3. Rotate All Credentials: Change every WordPress admin password immediately. The malware exfiltrated plaintext credentials. Also rotate database credentials and any API keys stored in wp-config.php.
4. Hunt for Rogue Accounts: Check wp_users and wp_usermeta directly in the database for administrator accounts you don’t recognize. The malware hides these from the WordPress admin UI.
5. Scan for Backdoors: Look for unexpected PHP files outside the smart-slider-3 plugin directory. The multi-point persistence means cleaning just the plugin folder is insufficient. Check wp-content/uploads, wp-includes, and theme directories for recently modified PHP files.
6. Block the C2: Add wpjs1[.]com to your firewall blocklist and check your logs for any outbound connections to this domain.
7. Update When Clean: Once compromised instances are restored from clean backups, update to a patched version of Smart Slider 3 Pro released after the incident.
Indicators of Compromise
- C2 Domain:
wpjs1[.]com - Affected Version: Smart Slider 3 Pro 3.5.1.35 (distributed April 7, 2026)
- CVE: CVE-2026-3098 (arbitrary file read associated with the vulnerability)
Broader Context
This attack follows the pattern seen in the TeamPCP campaign and the Axios npm compromise earlier this year: attackers are not creating fake packages — they are compromising trusted update infrastructure to distribute malicious builds through official channels. The attack surface has shifted from package name typosquatting to direct compromise of maintainer infrastructure and build pipelines.
For WordPress operators running any premium plugins that use vendor-hosted update servers (rather than WordPress.org), this is a reminder that your update trust boundary extends to every vendor’s infrastructure. Consider pinning plugin versions in staging before promoting to production, and monitoring for unexpected file changes post-update.