John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
The plugin wasn’t vulnerable. The update server was.
On April 7, attackers hijacked Nextend’s update delivery infrastructure and pushed a malicious build to 900,000 WordPress and Joomla sites. Anyone with auto-updates enabled got version 3.5.1.35. That version doesn’t contain one backdoor. It contains six, layered specifically so that standard cleanup won’t catch all of them.
The nastiest part: it dropped a must-use plugin into wp-content/mu-plugins. That directory loads before everything else. It doesn’t appear in your WordPress admin plugins list. You cannot deactivate it through the dashboard. A site admin looking at their plugins page would see nothing wrong.
It also injected a hidden admin account, stole credentials, wrote a .cache_key persistence file that survives a database credential reset, and dropped fake files into wp-includes core. Deleting Smart Slider 3 Pro does nothing to any of this.
The reliable fix: restore from a backup that predates April 7, then update to 3.5.1.36. If you don’t have one, PatchStack published a manual remediation guide. It’s thorough and genuinely complex.
What each of the six backdoor layers does and how to fully clean a compromised site