A fully compromised website gives attackers persistent, invisible control over all site content, user data, and connected systems — meaning customer data theft, ransomware deployment, or fraudulent content injection are all viable follow-on actions with no further exploit required. For e-commerce, membership, or lead-generation sites, a compromise of this depth creates direct regulatory exposure under applicable data protection laws and can result in payment processor penalties or suspension. The reputational damage from a defacement, data breach, or malware distribution through your own website can be more costly than the technical remediation itself.
You Are Affected If
You operate WordPress or Joomla sites with Smart Slider 3 Pro installed
Your Smart Slider 3 Pro version is v3.5.1.35 (indicating the site received the trojanized update)
Plugin auto-updates were enabled and the site was reachable during April 7, 2026, through the vendor patch release
You have not audited wp-content/mu-plugins/ and WordPress user accounts for unauthorized additions since April 7
You have not confirmed your current installed build against the vendor's patched release hash
Board Talking Points
Attackers infiltrated the software update system for a plugin installed on over 900,000 websites and used it to secretly take full control of any site that updated during a specific window in April 2026.
Any affected site must be treated as fully compromised and taken offline for forensic review and clean restoration before returning to service — this should begin within 24 hours of confirmation.
Sites that remain online without remediation are actively at risk of customer data theft, fraudulent content injection, and use as malware distribution infrastructure, compounding legal and reputational exposure with each hour of inaction.
GDPR / applicable data protection law — WordPress/Joomla sites processing EU resident personal data (contact forms, user accounts, e-commerce) are subject to breach notification obligations if compromise is confirmed
PCI-DSS — sites processing or transmitting payment card data through affected installations face potential card data exposure and must notify their acquirer per PCI-DSS Requirement 12.10
