ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack

Multiple premium WordPress plugins from ShapedPlugin were compromised in a sophisticated supply chain attack after unknown threat actors tampered with the vendor's official release channels and pushed backdoored code through licensed update distribution. According to Wordfence, attackers breached the vendor's build and distribution pipeline, injecting malicious code into Pro plugin builds served via Easy Digital Downloads (EDD) infrastructure at account.shapedplugin[.]com. The affected plugins include Product Slider Pro for WooCommerce (versions before 3.5.4), Real Testimonials Pro (version 3.2.5), and Smart Post Show Pro (versions before 4.0.2). The free versions hosted on WordPress.org were not impacted, limiting the blast radius to paying customers who received updates through official channels.

The compromise has been assigned two CVE identifiers: CVE-2026-49777 (CVSS 10.0) for the Product Slider Pro flaw, and CVE-2026-10735 (CVSS 9.8) covering the broader incident. Once installed, the malicious code injects a loader triggered on every admin page, which fetches a remote payload from 194.76.217[.]28:2871, installs it, and activates it as a counterfeit plugin. Site administrators concerned about exposure can run a WHOIS lookup on the indicator IP and use a port scanner to check whether the C2 listener is reachable in their network logs. The fake plugin conceals itself from the WordPress admin interface while capturing credentials in plaintext, intercepting two-factor authentication codes, and establishing multiple persistence mechanisms, including arbitrary file writes through a custom REST endpoint and a web shell with command execution capabilities.

Data exfiltration is performed via a bundled PHP file named "install-persistent.php," which extracts the full contents of wp-config.php (including database credentials and authentication salts), all administrator account records with registration dates, mail plugin credentials from WP Mail SMTP, Post SMTP, and Easy WP SMTP, and three months of WooCommerce order data with payment method breakdowns. After exfiltration, the file self-deletes to obscure forensic evidence. Given that the payload captures authentication material from production sites, affected administrators should immediately use a password checker to assess exposed credential strength and rotate all secrets, including database passwords and SMTP keys.

Evidence points to a compromise of the build pipeline rather than direct tampering of the distributed packages, meaning that sites running legitimate licensed copies installed directly from ShapedPlugin's official update system are also at risk. ShapedPlugin has confirmed the incident and stated it is reviewing its distribution and release processes to safeguard product integrity going forward. Site owners running the affected Pro plugin versions are urged to update immediately, audit administrator accounts for unauthorized additions, scan for the "install-persistent.php" artifact, and verify that no rogue plugins have been silently activated in their installations.