We are seeing sites update to a malicious version of 3.5.1.35 Pro that creates a malicious administrator account. It appears that Nextend’s update servers may potentially be compromised.
What a nightmare! But thanks for letting me know.
Security Advisory – Smart Slider 3 Pro
We have identified a security incident affecting Smart Slider 3 Pro.
An unauthorized party gained access to our update system and made a malicious plugin version (3.5.1.35 Pro) available for a limited period of time. This version is not an official release from Nextend.
The malicious version was accessible through our update server for approximately 6 hours before we detected and contained the issue.
Important:
- The free version of Smart Slider 3 on WordPress.org is NOT affected
- Only users who updated Smart Slider 3 Pro during this time window may be impacted
The malicious version may create unauthorized administrator accounts.
Actions we have taken:
- Immediately shut down our update servers
- Removed the malicious version
- Secured and are auditing our systems
- Began a full investigation into the incident
Immediate actions we strongly recommend:
- Check your WordPress admin users and remove any unknown accounts
- Remove Smart Slider 3 Pro version 3.5.1.35 if installed
- Reinstall the plugin from a trusted, clean source
- Reset all administrator passwords
- Review your site for any suspicious activity
We deeply regret this incident and are taking all necessary steps to strengthen our security and prevent this from happening again.
We will provide further updates as our investigation progresses.
If you believe your site is affected, please contact us at support@nextendweb.com and will send you the latest clean installer.
Plugin Support
Laszlo
(@laszloszalvak)
Hi everybody!
Quick update:
The infected version 3.5.1.35 might have created files and inserted data into the database if the server’s firewall was unable to prevent it.
In response, our senior developer has created a custom cleanup plugin that removes these files and database records.
You can find the download link for the plugin, along with installation instructions, in the following documentation:
We strongly recommend that anyone who has ever updated to version 3.5.1.35 completes this cleanup process to ensure that no malicious files or data remain on their site.
The instructions are unclear. If we use “Recommended Cleanup Method (Automatic)”, do we still need to do any of the “Manual Cleanup Guide” steps? I assume so, but not sure where to start. Step 9?
@brentcredle, Manual cleanup is not required when you use the provided cleanup plugin.
The Cleanup plugin “FOUND USER ID 2 FOR kiziltxt2@gmail.com”. I still don’t need to change passwords etc. as outlined in Step 11? Just making sure as I’m running a VPS with many websites and emails attached and having to change passwords etc. on everything is a massive task, but if it’s necessary I will do it. Thanks for your quick reply.
@brentcredle, I analyzed the infection and at stage one it infected files at the first stage and notified a remote site about it. Nothing happened with my test site since that, so I think we catched it early on.
We don’t rule it out even if the chance is small that they could access anything like passwords. We are just precautious.
Okay, thanks again for the quick responses.
