Several WordPress plugins from ShapedPlugins were compromised in a supply chain attack after unknown threat actors managed to tamper with the official release channels and push backdoor code.
“Attackers compromised the vendor’s build and distribution pipeline by injecting backdoor code into Pro plugin releases distributed through official licensed update channels,” Wordfence said in an analysis published last week.
The incident affects the following plugins –
- Product Slider Pro for WooCommerce (versions before 3.5.4)
- Real Testimonials Pro (Version 3.2.5)
- Smart Post Show Pro (versions before 4.0.2)
As mentioned above, it’s worth emphasizing that the compromise only affects Pro plugin builds distributed through the vendor’s Easy Digital Downloads (EDD) infrastructure via Account.ShapedPlugins.[.]com. Free versions of plugins on WordPress.org are not affected.
The supply chain compromise associated with Product Slider Pro for WooCommerce has been assigned CVE identifier CVE-2026-49777 with a CVSS score of 10.0, indicating maximum severity. CVE-2026-10735 (CVSS score: 9.8) is the CVE identifier for the entire incident.
The WordPress security company said that compromised versions of the plugins include a loader that triggers on every admin page, causing it to receive the payload from a remote server (“194.76.217[.]28:2871”), install it, and activate it as a fake plugin.
Once activated, the malware reports the victim domain back to the server and erases itself to cover tracks and complicate incident response efforts. The fake plugin, for its part, hides itself from the WordPress admin plugin list and is capable of capturing credentials in plaintext and two-factor authentication (2FA) code.
It also installs several persistence methods that enable arbitrary file writing through a custom REST endpoint when a specific authentication token is provided, as well as dropping a web shell with command execution features. Finally, it uses a PHP file called “install-persistent.php”, which is bundled as part of the plugin, to extract the data below −
- Complete contents of wp-config.php including database credentials, authentication keys, and debug settings
- All admin accounts with registration dates
- WP Mail SMTP, Post SMTP and Easy WP SMTP to Mail plugin credentials
- Last 3 months WooCommerce order data with payment method details
Once this information is displayed, the file is deleted. Evidence indicates that the attack may have resulted in compromise of the build pipeline, as opposed to direct poisoning of the packages.
What’s particularly dangerous about this attack is that it exposes site owners who have purchased legitimate licenses and installed updates directly from the vendor’s official update system to malware.
Upon being notified of the issue, ShapedPlugin has confirmed the incident and said it is reviewing its distribution and release processes to ensure the integrity of its products going forward. New versions of the affected plugins are expected to be released pending comprehensive security review and validation testing.
Site owners who have installed malicious versions are recommended to reset all passwords, revoke and regenerate 2FA secrets for all users, review administrator accounts for unauthorized additions, and check the mail plugin configuration for modified SMTP credentials.
