ShapedPlugin Supply Chain Attack Sent Backdoored WordPress Updates to Paying Customers
8 min. read 
Published on
A supply chain attack on ShapedPlugin’s paid WordPress plugin update system sent backdoored releases to customers who installed updates from the vendor’s official channels. The incident affected several Pro plugins and gave attackers a path to steal credentials, collect site data, and write files remotely on compromised WordPress sites.
The issue affected Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. According to Wordfence, the attackers compromised the vendor’s build and distribution pipeline, then injected malicious code into Pro plugin builds distributed through official licensed update channels.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
BleepingComputer reported that ShapedPlugin’s free plugins, which have more than 400,000 active installations in total, were not the affected distribution channel. The compromise targeted paid Pro products rather than the public WordPress.org plugin repository.
Which ShapedPlugin Products Were Affected
The affected plugins were all commercial products sold and updated outside the standard WordPress.org update flow. That made the incident especially dangerous because customers received malicious code while following normal update practices.
The incident is tracked as CVE-2026-10735. The CVE record says multiple ShapedPlugin plugins contain a backdoor that can allow unauthenticated attackers to gain backdoor access to affected sites. A duplicate identifier, CVE-2026-49777, also appeared in related reporting.
Wordfence’s vulnerability database lists a critical CVSS 9.8 rating for the issue and says the malicious code gives attackers backdoor access to sites using compromised plugin copies. Its vulnerability record currently marks Product Slider Pro and Smart Post Show Pro as patched, while Real Testimonials Pro has a more uncertain patch status.
| Plugin | Affected Status | Known Clean or Latest Version Mentioned |
|---|---|---|
| Product Slider Pro for WooCommerce | Versions before 3.5.4 were affected, according to Wordfence | 3.5.4 or later |
| Real Testimonials Pro | Wordfence lists versions up to 3.2.5 as affected | Vendor lists 3.2.6, but the changelog wording does not clearly describe a security fix |
| Smart Post Show Pro | Versions before 4.0.2 were affected, according to Wordfence | 4.0.2 or later |
How the Backdoor Worked
The malicious update used a loader file that ran when a WordPress administrator opened the admin dashboard. Once active, it contacted a command-and-control server, downloaded a second-stage payload, installed a fake WooCommerce-style plugin, reported back to the attackers, and then tried to remove traces of the first-stage loader.
The fake plugin used names such as woocommerce-subscription or woocommerce-notification. It hid itself from the WordPress plugin list, which made it harder for site owners to notice during a normal admin review.
The malware could target sensitive data from WordPress sites, including administrator credentials, session cookies, 2FA secrets, database credentials, authentication keys, SMTP credentials, and recent WooCommerce order data. BleepingComputer said the fake plugin also gave operators remote file-writing capabilities.
- Fake plugin names included WooCommerce-style labels to avoid suspicion.
- The backdoor activated when an administrator used the WordPress admin area.
- The malware attempted to steal site, user, database, email, and WooCommerce data.
- The malicious loader deleted itself after installing the second-stage payload.
Why Researchers Suspect a Build Pipeline Breach
Researchers believe the attackers likely compromised ShapedPlugin’s build or distribution pipeline rather than simply modifying one plugin package by hand. The evidence included file timestamp patterns, automated-looking file changes, and build references linked to private Git-based workflows.
Wordfence said the malicious changes appeared inside Pro builds distributed through ShapedPlugin’s official licensed update channels. That made the attack a classic software supply chain compromise because the poisoned updates came from a trusted source.
The public WordPress.org versions were reportedly clean. That matters because it suggests the attackers did not broadly compromise every ShapedPlugin product, but instead found a way into the commercial release infrastructure used for paid downloads and updates.
Patch Status and What Site Owners Should Do
Site owners using Product Slider Pro for WooCommerce should update to the latest available version. The official Product Slider changelog lists version 3.5.4 on June 5 with a security enhancement entry.
Smart Post Show Pro users should also update to the latest available release. The official Smart Post changelog lists version 4.0.2 on May 23 with security enhancement notes, followed by version 4.0.3 on June 15.
Real Testimonials Pro requires extra caution. The official Real Testimonials changelog lists version 3.2.6 on June 16, but the public note only says it fixes WPCS-related warnings. Because Wordfence still marked the plugin as having no known patch in its vulnerability entry, administrators should verify the package directly with the vendor or their security provider before assuming the risk has been fully resolved.
| Action | Why It Matters |
|---|---|
| Update affected Pro plugins from trusted vendor accounts | Clean versions replace known malicious builds where patches are available |
| Inspect wp-content/plugins directly | Hidden fake plugins may not appear in the WordPress admin plugin list |
| Look for suspicious WooCommerce-like plugin folders | The backdoor used names designed to look legitimate |
| Rotate credentials and salts | The malware targeted passwords, cookies, database credentials, and authentication keys |
| Review admin users and logs | Attackers may have added accounts or changed files after gaining access |
Real Testimonials Pro Needs Special Attention
The patch picture around Real Testimonials Pro remains less clear than the other two affected products. The Wordfence vulnerability record lists Real Testimonials Pro as affected through version 3.2.5 and says no known patch is available.
At the same time, the vendor’s Real Testimonials changelog shows a newer 3.2.6 build. Since the public changelog does not clearly describe a security fix, site owners should treat Real Testimonials Pro installations as higher risk until they confirm whether their installed build is clean.
Security teams should not stop at plugin updates. If a site installed one of the malicious builds, the attackers may already have harvested credentials or installed persistent access. Cleaning the plugin alone may not remove every foothold.
Recommended Cleanup Steps for WordPress Administrators
Administrators should first check whether any of the affected Pro plugins were updated during the suspected compromise window. If so, they should inspect the file system, not only the WordPress admin dashboard, because the second-stage plugin was designed to hide from the normal plugin list.
They should also search for unexpected folders or files using WooCommerce-like names, especially if the site does not use matching WooCommerce subscription or notification extensions. If a suspicious fake plugin appears, the site should be treated as compromised.
The CVE-2026-10735 entry describes the issue as a backdoor affecting multiple ShapedPlugin plugins, which means cleanup should include credential rotation and user review, not only deleting suspicious files.
- Reset WordPress administrator and user passwords.
- Regenerate WordPress authentication salts and keys.
- Rotate database, SMTP, hosting, API, and payment-related credentials where exposed.
- Regenerate 2FA secrets for affected administrator accounts.
- Review WooCommerce order access and audit recent file changes.
- Scan the server with a trusted malware scanner or incident response tool.
Why This Attack Matters
The ShapedPlugin incident shows why WordPress supply chain attacks remain difficult for site owners to defend against. The affected customers did not download plugins from piracy sites or unofficial mirrors. They used the vendor’s own update channel.
The official Product Slider changelog and Smart Post changelog show security-related maintenance entries around the affected period, but changelog language alone may not give administrators enough detail to measure exposure.
For businesses using WordPress and WooCommerce, the safest response is to assume that a malicious update may have done more than add a bad file. Affected site owners should confirm plugin versions, inspect the server, rotate credentials, and review whether attackers created any lasting access before returning the site to normal operation.
FAQ
Attackers compromised ShapedPlugin’s paid plugin build or distribution flow and pushed backdoored Pro plugin updates through official vendor channels. Customers who installed affected updates may have received malware from a trusted source.
The affected paid plugins include Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. Public WordPress.org versions were reported as clean, while the compromise affected commercial Pro builds.
The malware installed a hidden fake WooCommerce-style plugin, stole credentials and authentication data, collected sensitive WordPress and WooCommerce information, and gave attackers remote file-writing capabilities.
No. Updating can replace affected plugin files where clean versions are available, but it may not remove stolen credentials, rogue admin accounts, hidden backdoors, or attacker changes. Affected sites should also rotate passwords, regenerate salts and 2FA secrets, review users, and scan the file system.
CVE-2026-10735 is the vulnerability identifier used for the ShapedPlugin backdoored plugin incident. It covers multiple ShapedPlugin plugins that contained malicious code capable of granting unauthenticated attackers backdoor access to affected WordPress sites.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages