**Supply Chain Compromise Targets WordPress Plugin** Threat actors have successfully hijacked the update mechanism for **Smart Slider 3 Pro**, a popular **WordPress** and **Joomla** plugin with over 800,000 active installations. According to **Patchstack**, a WordPress security company, the compromised version 3.5.1.35 contained a backdoor, effectively turning the plugin into a remote access toolkit. "An unauthorized party gained access to **Nextend**’s update infrastructure and distributed a fully attacker-authored build through the official update channel," **Patchstack** reported. The malicious update was available for approximately six hours before being detected and removed. **Technical Details of the Backdoor** The trojanized update provided attackers with extensive capabilities, including: * Creating rogue administrator accounts. * Executing system commands remotely via HTTP headers. * Running arbitrary PHP code through hidden request parameters. **Patchstack** detailed the malware's functionalities: * Pre-authenticated remote code execution via custom HTTP headers (e.g., `X-Cache-Status` and `X-Cache-Key`). * A dual-execution mode backdoor enabling arbitrary PHP code and OS command execution. * Creation of a hidden administrator account (e.g., `wpsvc_a3f1`) disguised from legitimate administrators. * Concealment of sensitive data using custom WordPress options with disabled autoload. * Redundant persistence mechanisms, including a must-use plugin (`object-cache-helper.php`), appending code to the active theme's `functions.php` file, and dropping a file named `class-wp-locale-helper.php` in the WordPress `wp-includes` directory. * Data exfiltration of sensitive information to the command-and-control (C2) domain `wpjs1[.]com`. **Impact and Mitigation** **Patchstack** emphasized the sophistication of the attack: "The malware operates in several stages, each designed to ensure deep, persistent, and redundant access to the compromised site." The free version of **Smart Slider 3** was not affected. **Nextend** has shut down its update servers, removed the malicious version, and initiated a full investigation. Users who installed version 3.5.1.35 are urged to update to version 3.5.1.36 immediately and perform the following cleanup steps: * Check for and remove any suspicious administrator accounts. * Remove **Smart Slider 3 Pro** version 3.5.1.35 if installed. * Reinstall a clean version of the plugin. * Remove all persistence files associated with the backdoor. * Delete malicious WordPress options from the `wp_options` table: `_wpc_ak`, `_wpc_uid`, `_wpc_uinfo`, `_perf_toolkit_source`, and `wp_page_for_privacy_policy_cache`. * Clean up the `wp-config.php` file, removing `define('WP_CACHE_SALT', '<token>');` if present. * Remove the line `# WPCacheSalt <token>` from the `.htaccess` file. * Reset administrator and WordPress database user passwords. * Change FTP/SSH and hosting account credentials. * Review website logs for unauthorized changes and unusual POST requests. * Enable two-factor authentication (2FA) for administrators and disable PHP execution in the uploads folder. **Supply Chain Attack Implications** **Patchstack** concluded, "This incident is a textbook supply chain compromise, the kind that renders traditional perimeter defenses irrelevant... The plugin is the malware."