ShapedPlugin update flow hacked to infect WordPress sites

Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack that distributed infected releases to paying customers via the vendor's official update system.

The malware delivered this way installed a fake plugin that impersonates WooCommerce components, steals credentials, and grants operators remote file-writing capabilities.

ShapedPlugin is a WordPress plugin vendor specializing in front-end/UI components and content display plugins, with a total active installation base of more than 400,000 for the free products.

The security incident affected only three paid plugins: Product Slider Pro before 3.5.4 for WooCommerce, Real Testimonials Pro 3.2.5, and Smart Post Show Pro before 4.0.2.

According to data WordPress security company Defiant collected from its WordFence firewall, the backdoor was injected into ShapedPlugin's Pro builds on May 21, and the first customer reports about potentially malicious updates emerged on June 10.

The researchers confirmed the breach after downloading infected plugins from the ShapedPlugin site on June 12, and the publisher acknowledged the incident on June 16.

“Our team immediately initiated an investigation upon identifying the concern, and we have already implemented the necessary measures to mitigate the issue,” ShapedPlugin told Wordfence.

The publisher added that they were preparing updated plugin releases and validating them before pushing them to the update channels.

Supply-chain compromise

According to Wordfence’s analysis, the infected plugins contain a malicious loader file (LicenseLoader.php) that activates when a WordPress administrator accesses the website’s admin panel.

It contacts the command-and-control (C2) server, downloads the second-stage (backdoor), installs it as a fake plugin (woocommerce-subscription or woocommerce-notification), reports to the attacker, and then self-deletes to erase evidence.

The fake plugin, which is hidden from the WordPress plugin list, attempts to steal the following information on infected sites:

• WordPress login credentials (usernames, passwords, session cookies, user roles, IP addresses, and browser details)
• Two-factor authentication (2FA) secrets from popular WordPress security plugins
• Database credentials and WordPress authentication keys from wp-config.php
• Administrator account details
• SMTP/email service credentials
• WooCommerce order data from the past three months, including payment method information

The researchers believe this was a build pipeline compromise, based on the file modifications, timestamp patterns suggesting automated injection, and Git build references contained in the packages.

Also, releases hosted on WordPress.org were confirmed to be clean, suggesting that the attackers gained access to ShapedPlugin’s release infrastructure.

WordPress is currently tracking the incident under CVE-2026-10735, while CVE-2026-49777 was also submitted as a duplicate.

The ShapedPlugin compromise comes shortly after another major WordPress product, OptinMonster, was breached in a CDN supply-chain attack possible due to a flaw in a marketing server that allowed the hacker to steal credentials for a CDN account.

In the ShapedPlugin case, though, the point of compromise appears to be the build pipeline.

BleepingComputer has contacted the plugin vendor for a statement, and the company pointed us to the release of Real Testimonial Pro version 3.2.6, which lists a single fix described as “Fix: Some WPCS-related warnings.”

ShapedPlugin also said that an official statement will be published after Wordfence's confirmation that the patches addressed the issue.

According to Wordfence, fixes were made available on Product Slider Pro in version 3.5.4 and Smart Post Show Pro in version 4.0.2.

If fake WooCommerce plugins are found, website administrators are recommended to reset all passwords on their sites, regenerate two-factor authentication (2FA) secrets, and review user lists for rogue additions.