Smart Slider 3 Pro 3.5.1.35 Backdoor via Supply Chain Attack

Nextend, the developer behind the widely used Smart Slider 3 plugin, has reported a significant security incident involving the hijacking of their software distribution infrastructure. According to The Hacker News, unknown threat actors successfully compromised the company’s update servers to distribute a malicious version of the Smart Slider 3 Pro plugin. This Supply Chain Attack specifically targets version 3.5.1.35 of the Pro edition, embedding a backdoor designed to grant attackers persistent access to the underlying web server.

The technical implications of a compromised plugin update are severe. Once the backdoored update is installed, the malicious code typically establishes a C2 channel, enabling the adversary to perform unauthorized RCE tasks. Because the plugin operates within the context of the content management system (CMS) with permissions to modify site files, this compromise can lead to full site takeover, data exfiltration, or the deployment of Ransomware. Security researchers at Patchstack, who monitored the incident, noted that while the free version of Smart Slider 3 remains unaffected, the Pro version’s automated update mechanism was leveraged to bypass standard security filters. Smart Slider 3 is a popular WordPress slider plugin with more than 800,000 active installations, making the potential reach of this campaign substantial.

Analyzing the Attack Vector

The hijacking of Nextend’s update servers represents a sophisticated breach of the software distribution pipeline. By compromising the source of the updates, the attackers ensured that the malicious payload was distributed through trusted channels, which often circumvents traditional EDR solutions that focus on signature-based detection for known malware. Security teams should analyze their SIEM logs for unusual outbound traffic originating from web servers, which may indicate the backdoor attempting to beacon to an external controller.

Defenders must understand how to detect Smart Slider 3 Pro backdoor activity within their environments. This involves more than just a simple file hash check; administrators should look for unauthorized modifications in the plugin’s directory, specifically focusing on PHP files that have been modified outside of the standard update window or that contain obfuscated code snippets. Any IoC related to this incident should be immediately ingested into the SOC workflow for broader threat hunting across the enterprise.

Smart Slider 3 Pro 3.5.1.35 Patch Guidance and Remediation

The primary remediation step is the immediate removal of the compromised version and an upgrade to a verified clean version. Nextend has regained control of their infrastructure and released version 3.5.1.36 to address the compromise. Organizations should follow this Smart Slider 3 Pro 3.5.1.35 patch guidance to ensure the integrity of their web assets:

• Audit all WordPress and Joomla installations to identify the specific version of the Smart Slider 3 Pro plugin currently in use.
• If version 3.5.1.35 is detected, assume the environment is potentially compromised and initiate an incident response plan to check for persistence.
• Replace the plugin files with a fresh download of version 3.5.1.36 or higher directly from the official Nextend portal rather than relying on cached versions.
• Rotate all credentials associated with the website, including database passwords, FTP accounts, and administrative user credentials, as these may have been harvested by the backdoor prior to detection.

While no specific CVE identifier has been assigned to this server-side compromise at the time of reporting, the severity of the incident aligns with high-impact vulnerabilities described in the MITRE ATT&CK framework under Supply Chain Compromise. Maintaining a Zero Trust approach to third-party integrations remains the most effective long-term defense against similar infrastructure-level breaches.