π―There's a big problem with a popular WordPress plugin called Smart Slider 3. Hackers found a way to sneak in a bad update that lets them access sensitive information on websites. If you use this plugin, you need to update it right away to protect your site!
What Happened
A serious vulnerability has been discovered in the Smart Slider 3 WordPress plugin, which is currently active on over 900,000 websites. This flaw, identified as CVE-2026-3098, allows authenticated users, even those with minimal access like subscribers, to read arbitrary files on the server. This includes sensitive files such as wp-config.php, which contains critical database credentials and security keys. The vulnerability arises from missing capability checks in the plugin's AJAX export actions, enabling unauthorized file access.
On April 7, 2026, hackers hijacked the update system for the Smart Slider 3 Pro plugin and pushed a malicious version (3.5.1.35) that included multiple backdoors. This malicious update created a hidden user with administrator permissions and stole sensitive data, further exacerbating the security risks associated with the plugin. The update was accessible for approximately six hours before it was detected and removed.
The backdoored version includes a sophisticated remote access toolkit, allowing attackers to execute arbitrary PHP code and system commands. According to security company Patchstack, the malware can create rogue administrator accounts, exfiltrate sensitive data, and maintain persistent access through multiple redundant methods. This incident highlights a serious supply chain compromise, rendering traditional security measures ineffective.
The issue was reported by researcher Dmitrii Ignatyev on February 23, and after validation by Wordfence, the plugin's developer, Nextendweb, acknowledged the report on March 2. A patch was released on March 24, but many sites remain vulnerable as the plugin continues to be widely downloaded. Following the malicious update, the developer recommends that users switch to version 3.5.1.36 or revert to 3.5.1.34 or earlier.
Who's Affected
The vulnerability affects at least 900,000 WordPress sites that are running vulnerable versions of the Smart Slider 3 plugin. This is particularly concerning for sites that utilize membership or subscription features, as these are often where subscriber-level access is granted. With 303,428 downloads of the plugin in just the past week, the number of potentially affected sites could rise, posing a significant risk to user data and website integrity. Website administrators need to be aware that while the flaw is not currently flagged as actively exploited, this status could change rapidly. The potential for attackers to access sensitive data makes it imperative for site owners to act quickly.
What Data Was Exposed
The data at risk includes sensitive files on the server that could be accessed by authenticated users. This includes: The lack of file type and source validation in the plugin's export functionality means that not just images or videos can be exported, but also critical PHP files, increasing the risk of exploitation. Moreover, the malicious update has created additional backdoors that can lead to further data breaches and unauthorized access.
wp-config.php
Other arbitrary files:
Patch Status
The vendor has issued a patch for the malicious update, and users are advised to update to version 3.5.1.36 immediately. The previous version, 3.5.1.35, is compromised and should be removed if found. Users who installed the compromised version should assume full site compromise. Nextend has shut down its update servers and is conducting a full investigation into the incident.
Immediate Actions
Website owners using the Smart Slider 3 plugin should take immediate action to secure their sites. Here are the recommended steps:
- Update the Plugin: Ensure that you are using the latest version (3.5.1.36) of the Smart Slider 3 plugin, which includes the necessary security patch.
- Review User Access: Audit user roles and permissions to minimize the risk of unauthorized access.
- Monitor for Suspicious Activity: Keep an eye on your website for any unusual behavior or unauthorized file access attempts.
- Remove Malicious Users and Files: If the compromised version was installed, delete any unauthorized admin users and files, and rotate all credentials.
- Install a Clean Version: If no backup is available, remove the compromised plugin and install a clean version.
- Implement Security Measures: Activate two-factor authentication (2FA), restrict admin access, and use strong, unique passwords.
- Perform Cleanup Steps: Check for and remove any suspicious admin accounts, delete persistence files, and reset all relevant credentials.
Taking these steps will help protect your website from potential exploitation and safeguard sensitive data.
The recent backdoored update of the Smart Slider 3 Pro plugin exemplifies a supply chain attack, demonstrating the need for heightened vigilance in plugin management and update processes. Site administrators must prioritize security audits and implement robust access controls.
