In a recent cybersecurity incident, several WordPress plugins from ShapedPlugin were compromised through a supply chain attack. This breach allowed unknown attackers to manipulate official distribution channels, embedding malicious backdoor code into Pro plugin updates.
Details of the Compromise
Wordfence, a WordPress security firm, revealed that the attackers infiltrated the vendor’s build and distribution systems. They injected backdoor code into the Pro versions of plugins, which were distributed through official licensed update channels. The affected plugins include Product Slider Pro for WooCommerce (versions before 3.5.4), Real Testimonials Pro (version 3.2.5), and Smart Post Show Pro (versions before 4.0.2).
Notably, this breach only impacts the Pro versions distributed via ShapedPlugin’s Easy Digital Downloads (EDD) system at account.shapedplugin[.]com, leaving free versions on WordPress.org untouched.
Severity and Impact
The supply chain breach concerning Product Slider Pro for WooCommerce has been designated CVE-2026-49777, with a critical CVSS score of 10.0. The overall incident bears the CVE identifier CVE-2026-10735, scoring 9.8. The compromised plugins utilize a loader that activates with every admin page load, retrieving a payload from a remote server to install a fake plugin.
Once deployed, the malware communicates the compromised domain back to the server, then removes itself to hinder response measures. It also hides from the WordPress admin plugin list, capturing credentials and 2FA codes in plaintext.
Technical Exploitation and Response
The attack includes multiple persistence strategies, allowing arbitrary file writes via a REST endpoint with a specific authentication token, and deploying a web shell with command execution capabilities. A PHP script named “install-persistent.php” is used, extracting data such as wp-config.php contents, admin account details, mail plugin credentials, and recent WooCommerce order data.
This file is subsequently deleted to obscure the attack. The breach likely resulted from a compromise in the build pipeline rather than the direct tampering of packages.
ShapedPlugin acknowledged the incident and is reassessing its release processes to fortify product integrity. Updated versions of the affected plugins will undergo thorough security evaluations before release.
Recommendations and Future Measures
Site owners using the compromised versions are advised to reset all passwords, revoke and regenerate 2FA secrets, scrutinize admin accounts for unauthorized changes, and examine mail plugin configurations for altered SMTP credentials.
ShapedPlugin’s swift response and commitment to security reviews signal a proactive stance in safeguarding its user base against future threats.
