Top WordPress Slider plugin hijacked to spread malware — here's what to look out for
A tainted version was pushed as an update
by https://www.techradar.com/uk/author/sead-fadilpai · TechRadarNews By Sead Fadilpašić published 10 April 2026
Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Become a Member in Seconds
Unlock instant access to exclusive member features.
Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors
By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
You are now subscribed
Your newsletter sign-up was successful
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
An account already exists for this email address, please log in. Subscribe to our newsletter
- Smart Slider 3 plugin update compromised with backdoors
- Malicious version 3.5.1.35 pushed to 800,000+ sites
- Nextendweb urges rollback or upgrade to clean release
If you are using the Smart Slider 3 plugin for either WordPress or Joomla, make sure to update immediately, as experts have warned the tool was recently abused to distribute malware.
Nextendweb, the maintainers of Smart Slider 3, recently published a new security advisory, saying that on around April 7, 2026, unidentified threat actors broke into the system used for distributing patches, tainting the Pro version of the plugin with “multiple backdoors and persistence layers”, before pushing the poisoned version as an update to more than 800,000 websites.
An unknown number of websites likely installed the compromised version 3.5.1.35, before the developers spotted the attack and released a clean version - 3.5.1.36. Users are now urged to upgrade to this, or roll back to version 3.5.1.34.
Article continues below
Rolling back the updates
“If you have an available backup point, we strongly recommend rolling back your server to a backup created before version 3.5.1.35,” the advisory reads.
“The compromised update was released by the attacker on April 7, 2026. Due to time zone differences, it is safest to restore from a backup dated April 5, 2026 or earlier.”
Nextendweb says the malicious plugin version includes multiple backdoors which allow threat actors to execute system commands remotely (via HTTP headers) or execute arbitrary PHP code via hidden request parameters. The backdoors also create a hidden admin user and hide it from the admin interface. Persistent backdoors were found in these locations:
wp-content/mu-plugins/object-cache-helper.php
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors