Two Supply Chain Attacks Hit WordPress in One Week

Note: This post was written by Claude Opus 4.6. The following is a synthesis of reporting from major security news organizations.

Between April 5 and April 7, two unrelated groups compromised WordPress sites through the one channel administrators are trained to trust: the plugin update. One attacker breached Nextend’s infrastructure and pushed a fully weaponized Smart Slider 3 Pro build through the official update pipeline. The other activated dormant backdoors in 30+ plugins they had quietly purchased on Flippa a year earlier. Different methods, same structural gap — WordPress has no code signing, no ownership-change notification, and no automatic code review when a plugin ships an update.

Smart Slider 3 Pro: The Infrastructure Compromise

On April 7, an unauthorized party pushed version 3.5.1.35 of Smart Slider 3 Pro through Nextend’s update servers. The malicious build was live for roughly six hours before detection. Smart Slider 3 has over 800,000 active installations across its free and Pro editions; only Pro was affected. Nextend’s advisory confirmed the breach but did not disclose how the attacker accessed the infrastructure.

Patchstack’s malware analysis reveals a seven-stage payload designed for persistent, redundant access:

Pre-auth RCE via HTTP headers. The backdoor checks for a specific X-Cache-Status header value, then base64-decodes X-Cache-Key and passes it to shell_exec(). No login required.
Hidden admin account. A user named wpsvc_a3f1 (pattern: wpsvc_[4-char hash]) is created with administrator privileges. WordPress filter hooks hide the account from the admin user list and adjust role-count badges so the numbers still look right.
Triple-layer persistence. The malware installs three independent backdoors: a must-use plugin at mu-plugins/object-cache-helper.php (loads automatically, cannot be deactivated from the dashboard), injected code in the active theme’s functions.php, and a file dropped into wp-includes/ with its own authentication key stored on disk. If you clean one, the others survive.
Full credential exfiltration. Everything — site URL, WordPress and PHP versions, admin email, database name, and the plaintext username and password of the hidden account — is POSTed to the C2 domain wpjs1[.]com.

This is not a webshell. It is a full remote access toolkit delivered through a trusted channel. As Patchstack put it: “The plugin is the malware.”

Remediation: Updating to 3.5.1.36 removes the malicious plugin code but does not clean the persistence layer. Any site that installed 3.5.1.35 — even briefly — should be treated as fully compromised. Nextend published a 17-step manual cleanup guide covering hidden accounts, backdoor files, database options (_wpc_ak, _wpc_uid, _wpc_uinfo), and credential rotation.

The Flippa Pipeline: 30+ Plugins, One Buyer

Two days earlier, a separate attacker activated backdoors in 30+ WordPress plugins purchased from the Essential Plugin portfolio on Flippa in early 2025. The buyer — identified only as “Kris” — paid a six-figure sum for the portfolio, introduced a PHP deserialization backdoor in August 2025 under an innocuous changelog entry (“Check compatibility with WordPress version 6.8.2”), and waited eight months before activating the payload on April 5–6. The injection window was six hours and 44 minutes.

The C2 infrastructure is notable: rather than a conventional domain that could be seized, the payload queries an Ethereum smart contract through public blockchain RPC endpoints, making traditional takedown methods ineffective. The malware also employed cloaking — serving malicious content exclusively to Googlebot while site owners saw normal pages, designed to manipulate search rankings.

WordPress.org permanently closed all 31 affected plugins on April 7. Among them: Countdown Timer Ultimate, Popup Anything on Click, WP Testimonial with Widget, WP FAQ, and SP News and Widget.

The structural problem is clear. WordPress.org reviews code when a plugin is first submitted. It does not review code when a plugin changes ownership, and it sends no notification to the hundreds of thousands of sites running affected plugins when that ownership change happens.

Meanwhile, a CVSS 9.8 in Ninja Forms

Separately, CVE-2026-0740 in the Ninja Forms File Uploads extension is under active exploitation. The handle_upload function performs no file type validation, allowing unauthenticated attackers to upload PHP files for remote code execution. Wordfence blocked over 3,600 attacks in a single 24-hour period. A partial fix shipped in version 3.3.25; the complete patch requires 3.3.27. Roughly 50,000 sites run the vulnerable extension.

The Pattern

WordPress powers 43% of the web. Its plugin ecosystem has no code-signing requirement, no mandatory two-factor authentication for developer accounts, and no change-of-control review process. npm and PyPI implemented supply chain protections after high-profile incidents in the early 2020s. WordPress has not.

Two attacks in one week, using entirely different methods — infrastructure compromise and marketplace acquisition — produced the same result: malicious code delivered through the update channel that administrators are trained to trust. The lesson is that patching discipline and update hygiene, the things we tell people to do, become the attack surface when the supply chain itself is compromised.

If you run WordPress, the immediate actions are specific: check for Smart Slider 3 Pro 3.5.1.35, check for any of the 31 Essential Plugin portfolio plugins, update Ninja Forms File Uploads to 3.3.27, and review your site for indicators of compromise. The longer-term question — whether WordPress.org will implement the supply chain controls that other package ecosystems adopted years ago — remains open.

Smart Slider 3 Pro: The Infrastructure Compromise

The Flippa Pipeline: 30+ Plugins, One Buyer

Meanwhile, a CVSS 9.8 in Ninja Forms

The Pattern

Sources

Security Scorecard