Research · 11 min read

Smart Slider 3 Pro Backdoor: Six Hours to Compromise 800,000 Sites

By WP Vanguard Team

Smart Slider 3 Pro Backdoor: Six Hours to Compromise 800,000 Sites

On April 7, 2026, an unauthorized party gained access to Nextend's update infrastructure and pushed a trojanized build of Smart Slider 3 Pro, tagged 3.5.1.35, through the plugin's official auto-update channel. For roughly six hours, every WordPress site running Smart Slider 3 Pro with auto-updates enabled received the malicious version. The backdoor it installed is not subtle. It creates hidden administrator accounts, plants persistence in three separate locations, accepts pre-authenticated remote code execution via custom HTTP headers, and exfiltrates credentials and site configuration to an attacker-controlled domain.

Smart Slider 3 has more than 800,000 active installations across its free and Pro editions. Only the Pro version, only version 3.5.1.35, and only sites that updated between the release and the detection window are affected. Even so, the six-hour window is long enough to have compromised thousands of sites, and the forensic profile of the backdoor means many of those sites are still compromised even after updating to the clean 3.5.1.36 release.

If you run Smart Slider 3 Pro, this post is a checklist. Don't skim it.

Timeline

The six-hour window is the critical period. Any Smart Slider 3 Pro site that auto-updated during that window received the backdoor. Sites that had auto-updates disabled and updated manually later may have received the clean 3.5.1.36 depending on exactly when they pulled. Sites still running 3.5.1.34 or earlier were never exposed.

How the Backdoor Works

The trojanized update doesn't hide itself inside the Smart Slider plugin directory. That would make it easy to remove. Instead, it uses the update process as an installer, drops its real payload in three separate locations outside the plugin, and disappears from the plugin itself as if nothing had happened. That's why simply updating to 3.5.1.36 doesn't clean an affected site.

Persistence Location 1: The Must-Use Plugin

The installer drops a file called object-cache-helper.php into wp-content/mu-plugins/. Must-use plugins are loaded automatically by WordPress on every request, before regular plugins, and cannot be deactivated through the normal plugin management interface. They don't appear in the Plugins screen. A site owner who goes looking for malicious plugins won't find this one unless they browse the mu-plugins directory directly on the filesystem.

The file is named object-cache-helper.php because the name is plausible. WordPress sites genuinely do use MU plugins to provide object caching helpers, and the specific name is just ambiguous enough that a casual inspection might dismiss it as legitimate infrastructure. A forensic examination of the file contents immediately reveals the malicious code, but no automated scanner that works by filename alone will catch it. Our writeup on PHP backdoors in WordPress covers several more examples of this exact naming trick.

Persistence Location 2: The Theme's functions.php

The installer also appends code to the active theme's functions.php file. This second persistence location survives plugin uninstalls, plugin updates, and even deletion of the mu-plugins file, because functions.php is part of the theme and is reloaded on every page request. It doesn't survive a theme switch, but most site owners don't switch themes as part of incident response.

The code appended to functions.php is typically a single obfuscated PHP block, either base64-encoded or hex-encoded, designed to look like a cache or performance helper. The block unpacks and executes the real payload at runtime, which makes simple grep-based detection harder unless you know which encoding to look for.

Persistence Location 3: A Fake Core File

The third location is the most aggressive. The installer drops a file called class-wp-locale-helper.php into wp-includes/. This is the directory WordPress uses for its own core files. Dropping a malicious file there violates every WordPress convention, but it's effective precisely because WordPress itself doesn't check for extra files in wp-includes during core updates. The update process only verifies that expected files are present and correct, not that unexpected files are absent.

A file in wp-includes with a name like class-wp-locale-helper.php looks, to the untrained eye, exactly like a legitimate WordPress core file. A developer auditing the directory might assume it was part of WordPress itself. It isn't. It's part of the backdoor, and it serves as the fallback persistence mechanism if both the MU plugin and the theme file are removed.

The Runtime Capabilities

Once any of the three persistence locations is loaded, the backdoor registers a handler on every WordPress request that inspects incoming HTTP headers. If the request contains X-Cache-Status: <magic-value> and X-Cache-Key: <command>, the backdoor decodes the command and executes it as PHP, pre-authenticated. No login is required. No nonce is checked. The headers are invisible to ordinary visitors because no browser sends them, and they don't appear in most server access logs because access logs typically don't record request headers by default.

Alongside the header-triggered RCE, the backdoor:

The result is a site that continues to function normally for its legitimate users while being fully under the attacker's control. The attacker can read the database, steal customer data, install further malware, pivot to other sites on the same server, or sit silently and wait for a more valuable moment. Our 9 signs your WordPress site has been hacked post has the full list of red flags worth watching for.

Remediation

Update Smart Slider 3 Pro to 3.5.1.36 immediately. This removes the trojanized plugin code but doesn't clean the three persistence files or the malicious options. The plugin update is necessary but not sufficient.

Delete the three persistence files. On the server, remove:

Before deleting, take a copy of each file so you have a forensic record of what was installed. This is worth doing even if you aren't going to analyse the files yourself, because security researchers may ask for samples.

Remove the malicious WordPress options. Run the following against the database on a staging copy of the site to find them first:

SELECT option_name FROM wp_options WHERE option_name IN ('_wpc_ak', '_wpc_uid', '_wpc_uinfo');

If any of the three are present, delete them. WP-CLI makes this easy:

wp option delete _wpc_ak _wpc_uid _wpc_uinfo

Audit the user list for hidden administrator accounts. The wpsvc_<hex> naming pattern is a strong indicator, but the attacker may vary the prefix. Run:

wp user list --role=administrator --fields=ID,user_login,user_email,user_registered

Any administrator you don't recognise, particularly any account registered on or after April 7, 2026, is a candidate for the backdoor. Delete them, reassigning any content they own to a legitimate account.

Rotate every secret. Change the WordPress salts in wp-config.php, force a password reset for all users, regenerate API keys, and rotate any secrets stored in options or environment variables. The attacker had code execution for some period of time. Assume the entire credential surface is burned. For a full post-compromise playbook, follow our WordPress malware removal guide.

Check server access and error logs for header-triggered RCE attempts. Look for requests containing X-Cache-Status and X-Cache-Key headers. Most web servers don't log custom headers by default, so you may need to check application-level logs or enable header logging if you want a complete picture. Even without logs, the fact that any such request was possible is enough to assume the attacker used it.

Quarantine the site and investigate laterally. If you host multiple WordPress sites on the same server, assume they are all at risk. The backdoor had arbitrary PHP execution, which means it had read access to anything the web server process could reach. Check neighbour sites for the same three persistence files and the same malicious options. If you're using shared hosting with strict site isolation, the blast radius is limited. If you're using a VPS or dedicated server with weak isolation, it isn't.

What Nextend Needs to Explain

At the time this post is being written, the detailed post-mortem from Nextend hasn't been published. The critical questions a full post-mortem will need to answer:

Sites running Smart Slider 3 Pro should not wait for these answers before remediating. The checklist above stands regardless of what the post-mortem eventually reveals.

Why Signed Updates Would Have Helped

WordPress doesn't, as of this writing, verify plugin update signatures. When your site downloads a plugin update, it trusts whatever the update server says the correct file is. If the update server is compromised, your site downloads the malicious version and installs it. There's no cryptographic check that would catch a server-side tampering of the update payload.

This is a gap the WordPress core team is aware of. Proposals for signed updates have been discussed for years, and some progress has been made on the infrastructure needed to support them. The Smart Slider incident is a reminder of why the work matters. A signed update system would mean that even if an attacker compromised Nextend's update server, they couldn't push a malicious update unless they also had access to the signing key, and the signing key can be kept on hardware isolated from the update server. The supply chain becomes significantly harder to compromise when the distribution channel and the signing channel are separated.

Until signed updates are reality in WordPress, the only practical defence is behavioural monitoring. Watch for unexpected file changes. Watch for new mu-plugins. Watch for new administrator accounts. Watch for unexplained PHP files in wp-includes. Each of these is a tripwire that would have caught this backdoor within minutes of installation. (The Essential Plugins supply chain incident from the same week shows the same lesson with a very different attack path.)

WP Vanguard Detection

WP Vanguard now flags the three persistence files used by the Smart Slider backdoor as known indicators of compromise. A deep scan will also surface the _wpc_ option keys, the wpsvc_ administrator pattern, and any PHP injection in theme functions.php files that matches the obfuscation pattern used by this campaign. If you run Smart Slider 3 Pro and haven't scanned your site since April 7, queue a deep scan now. If the scan comes back clean, you're almost certainly fine. If it comes back dirty, follow the remediation checklist above and treat the site as fully compromised until it's thoroughly rebuilt.

References

smart-slider nextend supply-chain-attack wordpress-backdoor rce

Related reading

Check Your WordPress Site Security

Free scan, no login required. Find vulnerabilities before attackers do.

Scan Your Site Free

Get weekly WordPress security tips

Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.

WP Vanguard is built by Wbcom Designs, makers of Reign, Jetonomy, Listora, and more. Explore our WordPress products →
← Back to Blog