Supply Chain Compromise Hits Smart Slider 3 Pro: Pre-Auth RCE Backdoor Distributed via Official Update Channel
A supply chain attack on Smart Slider 3 Pro version 3.5.1.35 for WordPress distributed a pre-authentication remote command execution backdoor through the official update channel for approximately six hours before detection.
A supply chain compromise has hit Smart Slider 3 Pro, a popular WordPress slider plugin with over 800,000 active installations. An unauthorized party breached Nextend's update infrastructure and distributed a fully weaponized build of version 3.5.1.35 through the official update channel on April 7, 2026. The compromised version was available for approximately six hours before detection, and any site that updated during that window received a multi-layered remote access toolkit. A clean version 3.5.1.36 has since been released.
The injected malware includes a pre-authentication remote command execution backdoor triggered via custom HTTP headers. The code checks for the header `X-Cache-Status` with the value `nw9xQmK4` and, if present, base64-decodes the value of the `X-Cache-Key` header and passes it directly to `shell_exec()`. This gives the attacker an unauthenticated remote shell on every page load, including the frontend. The use of cache-related header names is a deliberate evasion technique to blend in with CDN or reverse proxy traffic.
In addition to the pre-auth backdoor, the malware includes an authenticated backdoor that activates when a request includes a GET parameter `_chk` matching a secret key stored in the WordPress option `_wpc_ak`. This backdoor supports two modes: PHP mode, which executes arbitrary PHP code via `eval()`, and shell mode, which attempts to execute OS commands using a fallback chain of six different execution functions (shell_exec, exec, system, passthru, proc_open, popen). This ensures command execution succeeds even on hardened PHP configurations.
The attacker preserved the legitimate plugin header and bootstrap logic, so the plugin still loads and functions normally, making the compromise difficult to detect. The malicious code was injected into the plugin's main PHP file, replacing the original `pre_http_request` filter. Only the Pro version of Smart Slider 3 is affected; the free version distributed through the WordPress.org plugin repository was not compromised.
Nextend has confirmed the breach and released version 3.5.1.36, which removes the malicious code. Sites that ever had version 3.5.1.35 installed should be treated as fully compromised, and administrators should perform a thorough cleanup, including rotating all credentials, scanning for additional backdoors, and reviewing user accounts and file integrity. Patchstack has released a mitigation rule to protect against exploitation, but it does not guarantee complete protection if the site has already been infected.
This incident highlights the growing threat of supply chain attacks targeting popular WordPress plugins. With over 800,000 active installations, Smart Slider 3 is a high-value target, and the compromise of its update infrastructure allowed attackers to distribute malware to a wide audience with minimal effort. The use of cache-related HTTP headers for the pre-auth backdoor demonstrates sophisticated evasion techniques. Administrators are urged to verify their plugin versions and apply the latest updates immediately.