Smart Slider 3 Pro Supply Chain Compromise & Malware Cleanup

Vulnerability Overview Version 3.5.1.35 of Smart Slider 3 Pro for WordPress has been injected with malware. Attackers utilized the update system to distribute this malicious version. Once detected, the update infrastructure was shut down, and a secure version, 3.5.1.36, was released. Malicious activities include: Remote execution of system commands ( ) via HTTP headers. Execution of arbitrary PHP code ( ) via hidden parameters. Creation of hidden administrator users (e.g., , ). Storage of credentials within WordPress options ( ). Installation of persistent backdoors in multiple locations. Exfiltration of site and credential data to an external server ( ). Affected sites should be considered fully compromised. Impact Scope Affected Version: 3.5.1.35 (Status: Compromised, immediate action required) Secure Version: 3.5.1.36 (Status: Safe) Secure Version: <= 3.5.1.34 (Status: Safe) Note: Only the Pro version is affected. The Joomla version contains deeper persistence mechanisms. Remediation Plan 1. Server Rollback It is strongly recommended to roll back the server to a backup point prior to version 3.5.1.35 (preferably April 5, 2026, or earlier). Log into the hosting panel. Locate backups, snapshots, or restore points. Find and restore a backup created before version 3.5.1.35. 2. Reset Credentials After restoring the server, it is recommended to regenerate the security keys/salts in , as they may have been compromised by the attacker. 3. Manual Cleanup Guide If rollback is not possible, please perform the following steps: 1. Immediate Update: Reinstall Smart Slider; delete version 3.5.1.35 and install version 3.5.1.36. 2. Maintenance Mode: Temporarily restrict site access. 3. Site Backup: Create a full backup (files + database). 4. Remove Malicious Plugin: Delete the entire plugin directory: . 5. Remove Hidden Admin Users: Inspect users and delete any starting with or with the email . 6. Remove Persistence Files: Delete the following files (if they exist): 7. Clean Theme functions.php: Check all active themes/child themes and remove code containing the following malicious patterns: Look for code that creates files within or base64-encoded/obfuscated PHP code. 8. Remove Malicious WordPress Options: Delete the following options from the table: 9. Clean wp-config.php: Remove any existing constant definitions such as: 10. Clean .htaccess: Check the file in the root directory and remove lines containing: 11. Reinstall WordPress Core: Replace all core files with official downloads (retain and ). 12. Reinstall Plugins and Themes: Remove all plugins and reinstall only from trusted sources. 13. Change All Passwords:** Reset WordPress admin passwords, security keys, hosting account passwords, FTP/SSH credentials, database passwords, and email account passwords.

Goal Reached Thanks to every supporter — we hit 100%!

Smart Slider 3 Pro Supply Chain Compromise & Malware Cleanup