WordPress security advisory: Smart Slider 3 Pro 3.5.1.35 compromise

Description

A security breach affected the update system responsible for distributing Smart Slider 3 Pro for WordPress. Unauthorized parties released a malicious version 3.5.1.35, which may have been installed on some websites.

Once detected, the update infrastructure was shut down and a full security audit was performed. A fixed and secure version 3.5.1.36 has been released.

⚠️ Important: Only the Pro version is affected.

The malware in the WordPress version differs from Joomla and includes deeper persistence mechanisms.

👉 A cleanup plugin is available to automatically remove the infection:


Affected Versions

Version Status Action Required
3.5.1.35 ❌ Compromised Immediate action required
3.5.1.36 ✅ Safe No action needed
≤ 3.5.1.34 ✅ Safe No action needed

What the Malware Does (WordPress)

The malicious plugin version includes multiple backdoors and persistence layers.

It may:

  • Execute system commands remotely via HTTP headers (shell_exec    )

    Execute arbitrary PHP code via hidden request parameters

    Create a hidden administrator user:

    • username: wpsvc_xxxx    

    • email: kiziltxt2@gmail.com    

      Hide this user from the admin interface

      Store credentials in WordPress options (_wpc_uinfo    )

      Install persistent backdoors in multiple locations:

    • wp-content/mu-plugins/object-cache-helper.php    
    • theme functions.php    
    • wp-includes/class-wp-locale-helper.php    
  • Send site and credential data to an external server (wpjs1.com    )

Because of this, affected sites should be considered fully compromised.

🔄 Server Rollback

If you have an available backup point, we strongly recommend rolling back your server to a backup created before version 3.5.1.35.

The compromised update was released by the attacker on April 7, 2026. Due to time zone differences, it is safest to restore from a backup dated April 5, 2026 or earlier.

This ensures that any potentially malicious files are completely removed, as they were never present in the restored backup.

How to Roll Back

  1. Log in to your server hosting provider’s dashboard
  2. Look for a section related to backups, snapshots, or restore points
  3. Find a backup created before version 3.5.1.35
  4. Use the available restore/rollback option to restore that backup

⚠️ Backup and restore options vary between providers.

If you’re unsure how to proceed, please contact your hosting provider’s support for assistance.

Reset Your Credentials

After restoring your server, it is still recommended to regenerate your credentials as described below, as the attacker might have accessed them.


If you don't have a backup, then proceed with the automatic or the manual cleanup methods described below.

✅ Recommended Cleanup Method (Automatic)

We strongly recommend using the official cleanup plugin.

Steps

  1. Download the cleanup plugin:

    • https://nextendweb.com/public/cleanup.zip

      In WordPress admin:

    • Go to Plugins → Add New → Upload Plugin
    • Upload the ZIP file

    • Install and activate

      The plugin will automatically:

    • Remove malicious files
    • Delete the hidden admin user
    • Clean infected theme files
    • Remove persistence mechanisms

    • Delete malicious options (_wpc_*    )

      Optional after completion:

    • Check the log file:
wp-content/uploads/malware-cleanup.log
    • Deactivate and delete the cleanup plugin

🛠 Manual Cleanup Guide (If Not Using the Plugin)

Follow these steps carefully.

1. Update Immediately

  • Remove version 3.5.1.35
  • Install 3.5.1.36 from a trusted source

2. Put Site in Maintenance Mode

Temporarily restrict access to prevent further exploitation.

3. Backup the Site

Create a full backup of:

  • Files
  • Database

Label it as infected backup.

4. Remove Malicious Plugin

Delete the entire plugin directory:

wp-content/plugins/nextend-smart-slider3-pro/

⚠️ Do not leave any files behind.

5. Remove Hidden Admin User

Check all users in WordPress.

Look for:

  • username starting with: wpsvc_    
  • email: kiziltxt2@gmail.com    

Delete this user immediately.

6. Remove Persistence Files

Delete these files if they exist:

wp-content/mu-plugins/object-cache-helper.php
wp-includes/class-wp-locale-helper.php
wp-includes/.cache_key

These are hidden backdoors that allow re-entry.

7. Clean Theme functions.php    

Check all active themes:

wp-content/themes/<your-theme>/functions.php

Remove this malicious pattern:

add_action('init',function(){ ... eval(...) ... shell_exec(...) ... });

This code enables remote execution.

8. Remove Malicious WordPress Options

In database (wp_options     table), delete:

  • _wpc_ak    
  • _wpc_uid    
  • _wpc_uinfo    

These store attacker access keys and credentials.

9. Reinstall WordPress Core

Replace all core files with a clean version:

  • Download WordPress from official source

    Replace everything except:

    • wp-config.php    
    • wp-content/uploads/    

10. Reinstall Plugins and Themes

  • Remove all plugins
  • Reinstall only from trusted sources
  • Remove unused or nulled plugins

11. Change All Passwords

Reset:

  • WordPress admin passwords
  • WordPress security keys (salts)
  • Hosting account
  • FTP / SSH
  • Database password
  • Email accounts

How to reset the WordPress admin passwords:

  1. Log in to your WordPress dashboard: /wp-admin  
  2. Go to Users → All Users (/wp-admin/users.php  )
  3. For each user with the Administrator role:
    1. Click Edit
    2. Scroll down to the Account Management section
    3. Click Set New Password (WordPress will generate a strong password automatically)
    4. Click Update User to save
  4. Tip: You can also use the “Send password reset” option so each administrator can set their own password securely.

How to change the WordPress Security Keys (Salts):

  1. Generate new security keys here:

    https://api.wordpress.org/secret-key/1.1/salt/

  2. Open your website’s wp-config.php   file
  3. Replace the existing keys (AUTH_KEY, SECURE_AUTH_KEY, etc.) with the new ones ( please make sure you won't add them twice, but you actually replace the existing salts with the new ones, as defining constants twice could causes errors )
  4. Save the file

This will also log out all users and invalidate existing sessions.


Changing the Database password:

Please contact your hosting provider for guidance on how to change your WordPress database user password.

After changing it:

  1. Open wp-config.php  
  2. Update the value of this constant to the new password that you generated:
define('DB_PASSWORD', 'your-new-password');

Changing the FTP / SSH and Hosting account credentials:

Please contact your hosting provider for guidance on how to change these credentials.

12. Scan for Additional Malware

Search for:

  • eval(base64_decode    
  • shell_exec    
  • _wpc_    
  • wpjs1.com    

Check especially:

  • wp-content/    
  • uploads/    
  • cache/    
  • mu-plugins/    

13. Review Logs

Check:

  • access logs
  • admin logins
  • unusual POST requests

Look for:

  • _chk     parameter
  • base64 payloads
  • unknown admin access

14. Harden the Site

After cleanup:

  • Enable 2FA for admins
  • Disable PHP execution in uploads folder
  • Keep everything updated
  • Use strong passwords
  • Limit admin access

Summary

  • A malicious version (3.5.1.35) was briefly distributed
  • A fixed version (3.5.1.36) is available
  • Only Pro version is affected
  • Infection includes admin creation, backdoors, and remote execution
  • Use the cleanup plugin for easiest recovery
  • Manual cleanup is possible but requires careful verification

Final Recommendation

If version 3.5.1.35 was installed:

👉 Treat the site as fully compromised

👉 Perform a full audit

👉 Reset all credentials

If unsure, involve a security professional.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Related Articles