Supply Chain Attack Hijacks Smart Slider 3 Pro Updates, Injects Backdoors into WordPress & Joomla Sites

Supply Chain Attack Hijacks Smart Slider 3 Pro Updates, Injects Backdoors into WordPress & Joomla Sites

What Happened — Attackers compromised the update mechanism of the Smart Slider 3 Pro plugin and released a malicious version (3.5.1.35) for WordPress and Joomla. The payload installs multiple persistence backdoors, creates hidden admin accounts, and harvests site credentials.

Why It Matters for TPRM —

• A trusted third‑party component can become a conduit for widespread compromise across client‑facing web properties.
• Persistent backdoors evade typical patch cycles, extending the window of exposure.
• Credential theft from compromised sites can be leveraged in downstream supply‑chain or credential‑stuffing attacks against other vendors.

Who Is Affected — Web‑hosting providers, digital agencies, SaaS platforms, and any organization that runs WordPress/Joomla sites using Smart Slider 3 Pro (estimated > 900 k installations).

Recommended Actions —

• Verify plugin version on all managed sites; upgrade immediately to 3.5.1.36 (or revert to ≤ 3.5.1.34).
• Conduct a forensic scan for the known backdoor artifacts (hidden admin users, mu‑plugins, altered functions.php, rogue files in wp‑includes).
• Rotate all WordPress/Joomla admin credentials and regenerate authentication keys.
• Review third‑party update validation processes (e.g., signed releases, hash verification).

Technical Notes — The malicious update delivers a multi‑layered PHP toolkit that:

• Executes arbitrary commands via crafted HTTP headers (no auth).
• Installs a second authenticated backdoor with eval and OS command execution.
• Persists through hidden admin accounts, must‑use plugins, and core‑file injections.
• Stores stolen credentials in the database and a .cache_key file, bypassing credential changes.

Source: BleepingComputer