Top WordPress Slider plugin hijacked to spread malware — here's what to look out for

If you are using the Smart Slider 3 plugin for either WordPress or Joomla, make sure to update immediately, as experts have warned the tool was recently abused to distribute malware.

Nextendweb, the maintainers of Smart Slider 3, recently published a new security advisory, saying that on around April 7, 2026, unidentified threat actors broke into the system used for distributing patches, tainting the Pro version of the plugin with “multiple backdoors and persistence layers”, before pushing the poisoned version as an update to more than 800,000 websites.

An unknown number of websites likely installed the compromised version 3.5.1.35, before the developers spotted the attack and released a clean version - 3.5.1.36. Users are now urged to upgrade to this, or roll back to version 3.5.1.34.

Rolling back the updates

“If you have an available backup point, we strongly recommend rolling back your server to a backup created before version 3.5.1.35,” the advisory reads.

“The compromised update was released by the attacker on April 7, 2026. Due to time zone differences, it is safest to restore from a backup dated April 5, 2026 or earlier.”

Nextendweb says the malicious plugin version includes multiple backdoors which allow threat actors to execute system commands remotely (via HTTP headers) or execute arbitrary PHP code via hidden request parameters. The backdoors also create a hidden admin user and hide it from the admin interface. Persistent backdoors were found in these locations:

wp-content/mu-plugins/object-cache-helper.php

theme functions.php

wp-includes/class-wp-locale-helper.php

Finally, the backdoor can send site and credential data to an external server which is why, Nextendweb says, affected sites “should be considered fully compromised.”

Besides rolling back the update, there is a number of steps website admins should use to make sure their assets are cleaned, which can be found on this link.

Via BleepingComputer