, , ,

Smart Slider 3 Pro WordPress/Joomla Plugin Supply Chain Compromise

the exploit blog logo
The Exploit: Penetration Testing Insights From The Frontlines
Posted on April 15, 2026
Smart Slider 3 Pro WordPress/Joomla Plugin Supply Chain Compromise

Written by Jason Taylor

There has been one constant recommendation that has spanned my years as a System Administrator, through my role as a Senior Information Security Analyst, and even now into my role as a Lead Penetration Tester here at Raxis: stay up to date on patches. Update often to stay ahead of malicious actors that may not have reached your environment yet.

Lately, however, that mantra has resulted in organizations inadvertently compromising their own systems through supply chain attacks. Most recently, at least at the time of writing this, is the WordPress and Joomla plugin Smart Slider 3 Pro that briefly served a malicious version of the plugin to any website that saw a new version was available and wanted to stay on top of security by patching often.

Steps to Take Now

The affected version, 3.5.1.35, was served from Nextend’s update servers on April 7th, 2026, for a couple of hours. If you or your organization is responsible for a WordPress or Joomla site, audit your plugins immediately and, if you find Smart Slider 3 Pro version 3.5.1.35, consider your website compromised and follow the steps in the security advisory.

Note that this only affected the Pro version of the plugin. The Pro version is uniquely served from Nextend’s own update servers and avoids using WordPress and Joomla’s extension registries that the free/non-Pro version of Smart Slider 3 uses.

Reputational Damage

While a WordPress site may be just a marketing tool, it is also the client-facing side of your organization. If your website ends up on a blacklist, it affects both prospective and current customers. Not only does it potentially prevent them from accessing your site until you work to clean up the compromise, but it also does reputational damage in the minds of your clients. 

If you want to keep a constant eye on the vulnerabilities within your WordPress sites, or any external facing infrastructure, consider reaching out to Raxis to learn more about our Raxis Attack Penetration Testing as a Service (PTaaS) options for continual monitoring and unlimited penetration testing.

Jason Taylor

Jason Taylor
Jason has a passion for asking “what-if” questions and for trying to “break” software and test how it responds to unintended uses. Jason has a background in System Administration and Security Engineering in the financial sector. He holds both defensive and offensive certifications including OSCP, PNPT, GCIH, CASP+, and is Splunk Certified. When he’s not spending his time taking new training courses, he loves spending time with his wife and kids and occasionally working on an IoT project to automate some aspect of their greenhouse or chicken coop.

Search The Exploit Blog

Blog Categories

Stay up to date with the latest in penetration testing

Name(Required)
Newsletter(Required)
Do you wish to join our newsletter? We send out emails once a month that cover the latest in cybersecurity news. We do not sell your information to other parties.