A compromised update to the popular Smart Slider 3 Pro WordPress plugin was distributed through Nextend’s own servers on 7 April, turning a trusted update mechanism into a malware delivery channel. Version 3.5.1.35 contained multiple backdoors capable of creating rogue administrator accounts, executing remote system commands, and exfiltrating site credentials to an external command-and-control server. As Patchstack reported, the poisoned update was live for roughly six hours before detection.

Smart Slider 3 runs on over 800,000 websites, many of them small business sites. If your site updated to version 3.5.1.35 during that window, you should treat it as compromised. The malware harvests your WordPress admin email, database name, plaintext credentials, and a full list of installed persistence methods — all sent to the attacker’s domain. Only the Pro version was affected; the free version from the WordPress plugin directory was not tampered with.

Here’s what to do right now: check your Smart Slider 3 version in your WordPress dashboard under Plugins. If you’re on 3.5.1.35, update immediately to 3.5.1.36 (the clean release) or roll back to 3.5.1.34. Then audit your admin user list for any accounts you don’t recognise, change all administrator passwords, and rotate your WordPress database credentials. If you’re not sure how to check, ask your IT provider to run through this today — not next week.

This is a textbook supply chain attack: the threat didn’t come from a dodgy download or a phishing email, it came through a legitimate update channel. It’s a reminder that even trusted plugins carry risk, and that having someone actively monitoring your WordPress environment matters. If you’d like help auditing your site or setting up proper update monitoring, our managed IT team can step in.