"An unauthorized party gained access to Nextend's update infrastructure and distributed a fully attacker-authored build through the official update channel. Any site that updated to 3.5.1.35 between its release on April 7, 2026, and its detection approximately 6 hours later received a fully weaponized remote access toolkit."
"The trojanized update includes the ability to create rogue administrator accounts, as well as drop backdoors that execute system commands remotely via HTTP headers and run arbitrary PHP code via hidden request parameters."
"Achieve pre-authenticated remote code execution via custom HTTP headers like X-Cache-Status and X-Cache-Key, the latter of which contains the code that's passed to 'shell_exec()'."
Threat actors compromised the Smart Slider 3 Pro plugin's update system, distributing a malicious version (3.5.1.35) that included a backdoor. This incident affected over 800,000 active installations. The unauthorized access allowed attackers to push a fully weaponized remote access toolkit through the official update channel. The malicious update was available for approximately six hours before detection. The backdoor enabled the creation of rogue administrator accounts and remote execution of system commands, posing significant risks to affected sites.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]