INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

ShapedPlugin WordPress Exploit in Supply Chain

| 2026-06-22 18:00 CRITICAL MEDIUM
JSON
Executive Summary AI-generated
The supply chain compromise affecting ShapedPlugin's WordPress plugins has been identified as a critical incident with maximum severity. The compromised versions of the affected plugins, including Product Slider Pro for WooCommerce and Real Testimonials Pro, incorporate a loader that triggers on every admin page to fetch a payload from a remote server, leading to potential data breaches and unauthorized access. This exploit leverages vulnerabilities in software versions listed by ShapedPlugin as being impacted, with CVE identifiers assigned by the Mitre ATT&CK technique of "Loader" and "Remote File Inclusion". The incident has been reported to ShapedPlugin, which is reviewing its distribution and release processes to ensure product integrity moving forward.
Technical Mitigations AI-generated
* Implement a secure update mechanism that verifies the authenticity of updates before installing them, and only allows installations from trusted sources. * Use a Content Security Policy (CSP) to restrict the types of scripts and stylesheets that can be executed on WordPress sites, and ensure that all plugins are properly sanitized and validated before installation. * Regularly review and update WordPress core and plugin dependencies to prevent known vulnerabilities being exploited by attackers. * Consider using a Web Application Firewall (WAF) or an Intrusion Detection System (IDS) to detect and respond to potential security threats on WordPress sites.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-49777CVE-2026-49777 CVE-2026-10735CVE-2026-10735
Target & Sectors
NORTH_AMERICA NORTH_AMERICA
Incident Timeline
‎May 21
ShapedPlugin's Pro builds were compromised on May 21 through a supply chain attack.
organisation ShapedPlugin
According to data WordPress security company Defiant collected from its WordFence firewall, the backdoor was injected into ShapedPlugin's Pro builds on May 21, and the first customer reports about potentially malicious updates emerged on June 10.
organisation Wordfence
According to data WordPress security company Defiant collected from its WordFence firewall, the backdoor was injected into ShapedPlugin's Pro builds on May 21, and the first customer reports about potentially malicious updates emerged on June 10.
‎June 10
ShapedPlugin's Pro plugins were compromised in a supply chain attack on May 21.
organisation ShapedPlugin
According to data WordPress security company Defiant collected from its WordFence firewall, the backdoor was injected into ShapedPlugin's Pro builds on May 21, and the first customer reports about potentially malicious updates emerged on June 10.
organisation Wordfence
According to data WordPress security company Defiant collected from its WordFence firewall, the backdoor was injected into ShapedPlugin's Pro builds on May 21, and the first customer reports about potentially malicious updates emerged on June 10.
‎June 12
Researchers confirmed the breach on June 12 after downloading infected plugins from ShapedPlugin.
‎2026/06/15
Threat actors used a supply chain attack to inject backdoor code into ShapedPlugin WordPress Pro Plugins.
‎June 16
The researchers discovered the breach on June 16 after downloading infected plugins from the ShapedPlugin site.
‎Jun 22, 2026
The ShapedPlugin compromised versions of Product Slider Pro for WooCommerce, Real Testimonials Pro and Smart Post Show Pro exploit a supply chain attack by loading malicious code on every admin page.
infrastructure 3.5.4
The incident affects the following plugins - Product Slider Pro for WooCommerce (versions before 3.5.4) Real Testimonials Pro (version 3.2.5) Smart Post Show Pro (versions before 4.0.2)
infrastructure 3.2.5
The incident affects the following plugins - Product Slider Pro for WooCommerce (versions before 3.5.4) Real Testimonials Pro (version 3.2.5) Smart Post Show Pro (versions before 4.0.2)
infrastructure 4.0.2
The incident affects the following plugins - Product Slider Pro for WooCommerce (versions before 3.5.4) Real Testimonials Pro (version 3.2.5) Smart Post Show Pro (versions before 4.0.2)
organisation Smart Post Show Pro
The incident affects the following plugins - Product Slider Pro for WooCommerce (versions before 3.5.4) Real Testimonials Pro (version 3.2.5) Smart Post Show Pro (versions before 4.0.2)
organisation Easy Digital Downloads
As mentioned above, it's worth emphasizing that the compromise only affects Pro plugin builds distributed through the vendor's Easy Digital Downloads (EDD) infrastructure via account.shapedplugin[.]com.
organisation EDD
As mentioned above, it's worth emphasizing that the compromise only affects Pro plugin builds distributed through the vendor's Easy Digital Downloads (EDD) infrastructure via account.shapedplugin[.]com.
organisation Product Slider Pro for WooCommerce
The supply chain compromise associated with Product Slider Pro for WooCommerce has been assigned the CVE identifier CVE-2026-49777 , along with a CVSS score of 10.0, indicating maximum severity.
organisation CVE
The supply chain compromise associated with Product Slider Pro for WooCommerce has been assigned the CVE identifier CVE-2026-49777 , along with a CVSS score of 10.0, indicating maximum severity.
organisation CVE-2026
The supply chain compromise associated with Product Slider Pro for WooCommerce has been assigned the CVE identifier CVE-2026-49777 , along with a CVSS score of 10.0, indicating maximum severity.
organisation CVSS
The supply chain compromise associated with Product Slider Pro for WooCommerce has been assigned the CVE identifier CVE-2026-49777 , along with a CVSS score of 10.0, indicating maximum severity.
infrastructure 194.76.217
The WordPress security company said the compromised versions of the plugins incorporate a loader that's triggered on every admin page, causing it to fetch a payload from a remote server ("194.76.217[.]28:2871"), install it, and activate it as a fake plugin.
organisation WordPress
The WordPress security company said the compromised versions of the plugins incorporate a loader that's triggered on every admin page, causing it to fetch a payload from a remote server ("194.76.217[.]28:2871"), install it, and activate it as a fake plugin.
organisation PHP
Lastly, it makes use of a PHP file named "install-persistent.php," which is bundled as part of the plugin, to extract the below data - Full contents of wp-config.php, including database credentials, authentication keys, and debug settings All administrator accounts with registration dates Mail plugin credentials from WP Mail SMTP, Post SMTP, and Easy WP SMTP WooCommerce order data from the last 3 months with payment method breakdown Once this information is displayed, the file is deleted.
organisation WP Mail SMTP
Lastly, it makes use of a PHP file named "install-persistent.php," which is bundled as part of the plugin, to extract the below data - Full contents of wp-config.php, including database credentials, authentication keys, and debug settings All administrator accounts with registration dates Mail plugin credentials from WP Mail SMTP, Post SMTP, and Easy WP SMTP WooCommerce order data from the last 3 months with payment method breakdown Once this information is displayed, the file is deleted.
organisation WooCommerce
Lastly, it makes use of a PHP file named "install-persistent.php," which is bundled as part of the plugin, to extract the below data - Full contents of wp-config.php, including database credentials, authentication keys, and debug settings All administrator accounts with registration dates Mail plugin credentials from WP Mail SMTP, Post SMTP, and Easy WP SMTP WooCommerce order data from the last 3 months with payment method breakdown Once this information is displayed, the file is deleted.
organisation WordPress.org
The free versions of the plugins on WordPress.org are not impacted.
organisation ShapedPlugin
Upon being notified of the issue, ShapedPlugin has confirmed the incident, adding that it's reviewing the distribution and release processes to ensure the integrity of its products going forward.
‎2026/06/22
Threat actors used a fake plugin to backdoor ShapedPlugin WordPress Pro Plugins in supply chain attack.
infrastructure 3.5.4
According to Wordfence, fixes were made available on Product Slider Pro in version 3.5.4 and Smart Post Show Pro in version 4.0.2 .
infrastructure 4.0.2
According to Wordfence, fixes were made available on Product Slider Pro in version 3.5.4 and Smart Post Show Pro in version 4.0.2 .
organisation Smart Post Show Pro
The security incident affected only three paid plugins: Product Slider Pro before 3.5.4 for WooCommerce, Real Testimonials Pro 3.2.5, and Smart Post Show Pro before 4.0.2.
organisation CVE-2026
WordPress is currently tracking the incident under CVE-2026-10735, while CVE-2026-49777 was also submitted as a duplicate.
organisation WordPress
ShapedPlugin update flow hacked to infect WordPress sites.
organisation IP
The fake plugin, which is hidden from the WordPress plugin list, attempts to steal the following information on infected sites: WordPress login credentials (usernames, passwords, session cookies, user roles, IP addresses, and browser details) Two-factor authentication (2FA) secrets from popular WordPress security plugins Database credentials and WordPress authentication keys from wp-config.php Administrator account details SMTP/email service credentials WooCommerce order data from the past three months, including payment method information The researchers believe this was a build pipeline compromise, based on the file modifications, timestamp patterns suggesting automated injection, and Git build references contained in the packages.
organisation SMTP
The fake plugin, which is hidden from the WordPress plugin list, attempts to steal the following information on infected sites: WordPress login credentials (usernames, passwords, session cookies, user roles, IP addresses, and browser details) Two-factor authentication (2FA) secrets from popular WordPress security plugins Database credentials and WordPress authentication keys from wp-config.php Administrator account details SMTP/email service credentials WooCommerce order data from the past three months, including payment method information The researchers believe this was a build pipeline compromise, based on the file modifications, timestamp patterns suggesting automated injection, and Git build references contained in the packages.
organisation WooCommerce
The malware delivered this way installed a fake plugin that impersonates WooCommerce components, steals credentials, and grants operators remote file-writing capabilities.
organisation ShapedPlugin WordPress
ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack.
organisation Multiple WordPress
 Ravie Lakshmanan  Jun 22, 2026 Supply Chain Attack / Malware Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack after unknown threat actors managed to tamper with the official release channels and push backdoor code.
organisation WordPress.org
Also, releases hosted on WordPress.org were confirmed to be clean, suggesting that the attackers gained access to ShapedPlugin’s release infrastructure.
infrastructure 3.2.6
BleepingComputer has contacted the plugin vendor for a statement, and the company pointed us to the release of Real Testimonial Pro version 3.2.6 , which lists a single fix described as “Fix: Some WPCS-related warnings.”
organisation BleepingComputer
BleepingComputer has contacted the plugin vendor for a statement, and the company pointed us to the release of Real Testimonial Pro version 3.2.6 , which lists a single fix described as “Fix: Some WPCS-related warnings.”
organisation Wordfence
Supply-chain compromise According to Wordfence’s analysis, the infected plugins contain a malicious loader file (LicenseLoader.php) that activates when a WordPress administrator accesses the website’s admin panel.
organisation UI
ShapedPlugin is a WordPress plugin vendor specializing in front-end/UI components and content display plugins, with a total active installation base of more than 400,000 for the free products.
organisation OptinMonster
The ShapedPlugin compromise comes shortly after another major WordPress product, OptinMonster, was breached in a CDN supply-chain attack possible due to a flaw in a marketing server that allowed the hacker to steal credentials for a CDN account.
organisation CDN
The ShapedPlugin compromise comes shortly after another major WordPress product, OptinMonster, was breached in a CDN supply-chain attack possible due to a flaw in a marketing server that allowed the hacker to steal credentials for a CDN account.
organisation EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Tactical Metrics
Metrics
infrastructure
‎3.5.4
Software Version
The incident affects the following plugins - Product Slider Pro for WooCommerce (versions before 3.5.4) Real Testimonials Pro (version 3.2.5) Smart Post Show Pro (versions before 4.0.2)
According to Wordfence, fixes were made available on Product Slider Pro in version 3.5.4 and Smart Post Show Pro in version 4.0.2 .
Metrics
infrastructure
‎3.2.5
Software Version
The incident affects the following plugins - Product Slider Pro for WooCommerce (versions before 3.5.4) Real Testimonials Pro (version 3.2.5) Smart Post Show Pro (versions before 4.0.2)
Metrics
infrastructure
‎4.0.2
Software Version
The incident affects the following plugins - Product Slider Pro for WooCommerce (versions before 3.5.4) Real Testimonials Pro (version 3.2.5) Smart Post Show Pro (versions before 4.0.2)
According to Wordfence, fixes were made available on Product Slider Pro in version 3.5.4 and Smart Post Show Pro in version 4.0.2 .
Metrics
infrastructure
‎194.76.217
Software Version
The WordPress security company said the compromised versions of the plugins incorporate a loader that's triggered on every admin page, causing it to fetch a payload from a remote server ("194.76.217[.]28:2871"), install it, and activate it as a fake plugin.
Metrics
infrastructure
‎3.2.6
Software Version
BleepingComputer has contacted the plugin vendor for a statement, and the company pointed us to the release of Real Testimonial Pro version 3.2.6 , which lists a single fix described as “Fix: Some WPCS-related warnings.”
Intelligence Sources
BleepingComputer 2026-06-18
The Hacker News 2026-06-22