**Smart Slider 3** for **WordPress**, used on over 900,000 websites, suffered a major security breach after hackers hijacked its update system. The malicious update, specifically affecting Pro version 3.5.1.35, was distributed on April 7th, potentially compromising numerous websites. Users are urged to immediately update to version 3.5.1.36 or revert to 3.5.1.34 or earlier. ### Multi-Layered Malware According to an analysis by **PatchStack**, the injected malware is a sophisticated, multi-layered toolkit embedded within the plugin's main file. It maintains the plugin's normal functionality while introducing several critical vulnerabilities: * Unauthenticated remote command execution via crafted HTTP headers. * Authenticated backdoor with PHP eval and OS command execution. * Automated credential theft.  *Creating a hidden admin account* *Source: PatchStack* ### Persistence Mechanisms The malware employs multiple persistence layers to ensure its continued operation, even after security measures are taken: * **Hidden Admin Account:** Creation of a hidden administrator account with credentials stored in the database. * **'mu-plugins' Directory:** Creation of a 'mu-plugins' directory and a must-use plugin masquerading as a legitimate caching component. These plugins are automatically loaded and cannot be disabled through the WordPress dashboard. * **Theme Backdoor:** Injection of a backdoor into the active theme's *functions.php* file, ensuring persistence as long as the theme remains active. * ***wp-includes* Directory Injection:** A PHP file mimicking a legitimate WordPress core class is injected into the *wp-includes* directory. This backdoor relies on a `.cache_key` file for authentication, bypassing database credential changes. ### Joomla Installations Affected The vendor has issued a similar warning for **Joomla** installations, stating that version 3.5.1.35 of the plugin may create a hidden admin account (usually with the prefix *wpsvc_*) and install additional backdoors in the `/cache` and `/media` directories. It also steals site information and credentials. ### Recommended Actions The malicious update was distributed on April 7th. The **Smart Slider** team recommends restoring backups from April 5th to account for potential timezone differences. If no backup is available, remove the compromised plugin and install a clean version (3.5.1.36). Administrators who find the compromised plugin version should assume full site compromise and take the following actions: * Delete malicious users, files, and database entries. * Reinstall WordPress core, plugins, and themes from trusted sources. * Rotate all credentials (WP, DB, FTP/SSH, hosting, email). * Regenerate WordPress security keys (salts). * Scan for remaining malware and review logs. The vendor provides a detailed manual cleanup guide for WordPress and Joomla, including: * Placing the site into maintenance mode and creating a backup. * Removing unauthorized admin users. * Removing all malicious components. * Reinstalling all core files, plugins, and themes. * Resetting all passwords. * Scanning for additional malware. Final recommendations include hardening the site by activating two-factor authentication (2FA), updating components, restricting admin access, and using strong, unique passwords.