10 April 2026.
The Hacker News report that "unknown threat actors have hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla to push a poisoned version containing a backdoor".
"The trojanized update includes the ability to create rogue administrator accounts, as well as drop backdoors that execute system commands remotely".
mySite.guru separately reported that: "Smart Slider 3 Pro version 3.5.1.35 was a malicious release".
"Not a vulnerability, not a coding mistake, not a missed capability check. An unauthorized party pushed a backdoored build through Nextend’s own update infrastructure".
What should you do?
Check whether or not your website is using Smart Slider 3.
If it is then follow the guidance at the links below.
mySite.guru Blog: Smart Slider 3 Pro version 3.5.1.35 was a malicious release
Read more: Backdoored Smart Slider 3 Pro Update distributed via compromised Nextend servers
If your website has been hacked then mySites.guru offer a value for money rescue package (recommended).
Make Joomla! CMS Security your #1 Priority
We help and support managers responsible for Joomla! CMS websites in UK business and third sector organisations across Cheshire, Greater Manchester, Merseyside and North West England.
Your personal data is nobody's business.