Attackers compromised the official update server for the Smart Slider 3 Pro WordPress plugin, distributing a malicious update that installed a backdoor on websites using the premium version.
Hidden Admin Access and Backdoor
The malicious update was available for approximately six hours, according to developer Nextendweb. The compromised plugin creates both a backdoor and a hidden administrator account. This secondary account remains active even if the plugin is removed, ensuring persistent access for the attackers. Similar tactics have been seen in other security events, including the Post SMTP plugin vulnerability.
Cleanup and Mitigation Details
Nextendweb has released a “cleanup” plugin designed to remove the malicious files and revert the unauthorized database changes. All customers who received the compromised update are advised to run the tool immediately. The attack shares characteristics with other supply-chain incidents like the GootLoader malware campaign. Security firm Patchstack published a technical analysis of the malware’s behavior.
