Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack after unknown threat actors managed to tamper with the official release channels and push backdoor code.

"Attackers compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels," Wordfence said in an analysis published last week.

The incident affects the following plugins and versions -

  • Product Slider Pro for WooCommerce 3.5.2
  • Real Testimonials Pro 3.2.4 and 3.2.5
  • Smart Post Show Pro 4.0.1

As mentioned above, it's worth emphasizing that the compromise only affects Pro plugin builds distributed through the vendor's Easy Digital Downloads (EDD) infrastructure via account.shapedplugin[.]com. The free versions of the plugins on WordPress.org are not impacted.

The supply chain compromise is being tracked as CVE-2026-10735 (CVSS score: 9.8). An earlier identifier, CVE-2026-49777, that was submitted for Product Slider Pro for WooCommerce has been marked as a duplicate.

The WordPress security company said the compromised versions of the plugins incorporate a loader that's triggered on every admin page, causing it to fetch a payload from a remote server ("194.76.217[.]28:2871"), install it, and activate it as a fake plugin.

Once it's activated, the malware reports the victim domain back to the server and erases itself to cover up the tracks and complicate incident response efforts. The counterfeit plugin, for its part, hides itself from the WordPress admin plugin list and is capable of capturing credentials in plaintext and two-factor authentication (2FA) codes.

It also establishes multiple persistence methods that enable arbitrary file writes via a custom REST endpoint when provided a specific authentication token, as well as drop a web shell with command execution features.

According to ShapedPlugin's advisories, the malware installs a fake plugin named "WooCommerce Subscription" (not the legitimate WooCommerce Subscriptions extension) and adds a loader to the active theme's functions.php that reads a Base64-encoded payload stored in the "theme_options_scripts" option in the "wp_options" table, writes it to a temporary file, and executes it on every page load.

The payload extracts the following data -

  • Full contents of wp-config.php, including database credentials, authentication keys, and debug settings
  • All administrator accounts with registration dates
  • Mail plugin credentials from WP Mail SMTP, Post SMTP, and Easy WP SMTP
  • WooCommerce order data from the last 3 months with payment method breakdown

Once this information is displayed in an HTML page, the file is self-deleted. Wordfence assessed the evidence points to a compromise of the build and distribution pipeline rather than direct poisoning of individual packages. ShapedPlugin, however, described the incident as tampering with its Pro builds distributed through the Easy Digital Downloads update channel.

What's particularly dangerous about this attack is that it exposes site owners who purchased legitimate licenses and installed updates directly from the vendor's official update system to malware.

ShapedPlugin has since released clean versions: Product Slider Pro for WooCommerce 3.5.3, Smart Post Show Pro 4.0.2 (current release 4.0.5), and Real Testimonials Pro 3.2.6.

The company also said Real Testimonials Pro 3.2.5 initially shipped clean on May 23, 2026, before its package was tampered with under the same version number. The maintainers replaced it with version 3.2.6 on June 16, 2026. The findings explain why version labels alone are not a reliable indicator of a clean build.

Updating an affected plugin installs a clean package but does not remove the second-stage payload if the malware has already run. Both ShapedPlugin and Wordfence advise that sites that run an affected version complete a full cleanup rather than relying on the update alone.

Confirming the incident with The Hacker News, ShapedPlugin said it rotated credentials, took the affected distribution infrastructure offline and rebuilt it, discontinued its GitHub-based release workflow pending a hardened redesign, migrated product-file storage to isolated AWS infrastructure, moved its stack to an xCloud-managed VPS with Patchstack monitoring, and proactively notified customers who downloaded an affected build.

The Wilmington-based company also emphasized it found no evidence that customer data was accessed, while noting that the data-theft behavior applies to end-user sites that installed a tampered build. Per-product advisories with step-by-step remediation are available for Real Testimonials Pro, Product Slider Pro for WooCommerce, and Smart Post Show Pro.

Site owners who have installed the malicious versions are recommended to reset all passwords, revoke and regenerate 2FA secrets for all users, review administrator accounts for unauthorized additions, check for a fake plugin named "WooCommerce Subscription" and loader code in the active theme's "functions.php," and check mail plugin configurations for modified SMTP credentials.

(This article was updated after publication on July 7, 2026, with corrected version boundaries for the affected and patched plugins, revised indicators of compromise from ShapedPlugin's official advisories, and an official statement from ShapedPlugin.)

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.