Unknown threat actors compromised the Nextend update infrastructure to distribute a malicious version of the Smart Slider 3 Pro plugin, exposing WordPress sites to remote code execution backdoors.

Key Points

• The malicious update, version 3.5.1.35, was distributed through official channels for approximately six hours on April 7, 2026.
• The backdoor allows attackers to create hidden administrator accounts, execute arbitrary PHP code, and run system commands remotely.
• Malware persistence is maintained through multiple redundant files, including a fake caching component and modifications to theme functions.
• Compromised sites automatically exfiltrated sensitive database and credential information to the command-and-control domain wpjs1.com.
• Nextend has removed the malicious build and released version 3.5.1.36 to remediate the vulnerability for affected users.
• Security firm Patchstack advises users to perform a comprehensive site cleanup, including password resets and the removal of unauthorized administrator accounts.

Why it Matters

This supply chain attack demonstrates how threat actors can bypass traditional security measures by subverting trusted software update mechanisms. It highlights the critical risk that third-party plugins pose to website integrity and underscores the necessity for rigorous incident response when official distribution channels are compromised.