Unknown risk actors have hijacked the replace system for the Good Slider 3 Professional plugin for WordPress and Joomla to push a poisoned model containing a backdoor.
The incident impacts Good Slider 3 Professional model 3.5.1.35 for WordPress, per WordPress safety firm Patchstack. Good Slider 3 is a well-liked WordPress slider plugin with greater than 800,000 energetic installations throughout its free and Professional editions.
“An unauthorized party gained access to Nextend’s update infrastructure and distributed a fully attacker-authored build through the official update channel,” the firm stated. “Any site that updated to 3.5.1.35 between its release on April 7, 2026, and its detection approximately 6 hours later received a fully weaponized remote access toolkit.”
Nextend, which maintains the plugin, stated an unauthorized occasion gained unauthorized entry to its replace system and pushed a malicious model (3.5.1.35 Professional) that remained accessible for roughly six hours, earlier than it was detected and pulled.
The trojanized replace contains the power to create rogue administrator accounts, in addition to drop backdoors that execute system instructions remotely by way of HTTP headers and run arbitrary PHP code by way of hidden request parameters. Based on Patchstack, the malware comes with the next capabilities –
- Obtain pre-authenticated distant code execution by way of customized HTTP headers like X-Cache-Standing and X-Cache-Key, the latter of which comprises the code that is handed to “shell_exec().”
- A backdoor that helps twin execution modes, enabling the attacker to execute arbitrary PHP code and working system instructions on the server.
- Create a hidden administrator account (e.g., “wpsvc_a3f1”) for persistent entry and make it invisible to legit directors by tampering with the “pre_user_query” and “views_users” filters.
- Use three customized WordPress choices which can be set with the “autoload” setting disabled to cut back their visibility in choice dumps: _wpc_ak (a secret authentication key), _wpc_uid (consumer ID of the hidden administrator account), and _wpc_uinfo (Base64-encoded JSON containing the plaintext username, password, and e mail of the rogue account).
- Set up persistence in three places for redundancy: create a must-use plugin with the filename “object-cache-helper.php” to make it appear like a legit caching element, append the backdoor element to the energetic theme’s “functions.php” file, and drop a file named “class-wp-locale-helper.php” within the WordPress “wp-includes” listing.
- Exfiltrate information containing website URL, secret backdoor key, hostname, Good Slider 3 model, WordPress model, and PHP model, WordPress admin e mail handle, WordPress database identify, plaintext username and password of the administrator account, and an inventory of all put in persistence strategies to the command-and-control (C2) area “wpjs1[.]com.”
“The malware operates in several stages, each designed to ensure deep, persistent, and redundant access to the compromised site,” Patchstack stated.
“The sophistication of the payload is notable: fairly than a easy webshell, the attacker deployed a multi-layered persistence toolkit with a number of impartial, redundant re-entry factors, consumer concealment, resilient command execution with fallback chains, and computerized C2 registration with full credential exfiltration.
It is value noting that the free model of the WordPress plugin isn’t affected. To comprise the problem, Nextend shut down its replace servers, eliminated the malicious model, and launched a full investigation into the incident.
Customers who’ve the trojanized model put in are suggested to replace to model 3.5.1.36. In addition, customers who’ve put in the rogue model are advisable to carry out the next cleanup steps –
- Test for any suspicious or unknown admin accounts and take away them.
- Take away Good Slider 3 Professional model 3.5.1.35 if put in.
- Reinstall a clear model of the plugin.
- Take away all persistence recordsdata that enable the backdoor to persist on the location.
- Delete malicious WordPress choices from the “wp_options” desk: _wpc_ak, _wpc_uid, _wpc_uinfo, _perf_toolkit_source, and wp_page_for_privacy_policy_cache.
- Clear up the “wp-config.php” file, together with eradicating “define(‘WP_CACHE_SALT’, ‘
‘);” if it exists. - Take away the road “# WPCacheSalt
” from the “.htaccess” file situated within the WordPress root folder. - Reset the administrator and WordPress database consumer passwords.
- Change FTP/SSH and internet hosting account credentials.
- Assessment the web site and logs for any unauthorized adjustments and strange POST requests.
- Allow two-factor authentication (2FA) for admins and disable PHP execution within the uploads folder.
“This incident is a textbook supply chain compromise, the kind that renders traditional perimeter defenses irrelevant,” Patchstack stated. “Generic firewall rules, nonce verification,role-based access controls,none of them apply when the malicious code is delivered through the trusted update channel. The plugin is the malware.”
