WordPress Plugin Hack: ShapedPlugin Vulnerability Exposes Sites to Security Breach
A supply chain attack targeting the ShapedPlugin WordPress plugin vendor resulted in the distribution of compromised updates to paying customers through the official plugin update system.
Attack Overview
The malicious updates introduced a counterfeit plugin designed to mimic WooCommerce components, enabling threat actors to extract credentials, access sensitive data, and execute remote file operations. The affected plugins included Product Slider Pro prior to version 3.5.4 for WooCommerce, Real Testimonials Pro 3.2.5, and Smart Post Show Pro prior to 4.0.2.
Malicious Updates and Compromised Plugins
Security firm Defiant, using data from its WordFence firewall, identified the backdoor injection into ShapedPlugin’s Pro builds on May 21. Reports of suspicious updates surfaced on June 10, prompting an investigation. ShapedPlugin confirmed the breach and stated that mitigation measures were implemented, with updated plugin versions being validated before release.
The attack involved the insertion of a malicious loader file, LicenseLoader.php, which activates when an administrator accesses the WordPress admin panel. This component communicates with a command-and-control (C2) server to execute further actions.
Malicious Loader and Data Extraction
The hidden counterfeit plugin was designed to extract a range of sensitive information, including:
- WordPress login credentials (usernames, passwords, session cookies, user roles, IP addresses, and browser details)
- Two-factor authentication (2FA) secrets from security plugins
- Database credentials and WordPress authentication keys from the wp-config.php file
- Administrator account details
- SMTP/service credentials
- WooCommerce order data from the past three months, including payment method details
Analysis and Root Cause
Analysis by Wordfence suggested the breach originated from a compromised build pipeline, evidenced by file modifications, timestamp patterns indicative of automated injection, and embedded Git build references. Releases hosted on WordPress.org were confirmed to be unaffected, indicating the attackers accessed ShapedPlugin’s internal release infrastructure.
CVE Identifiers and Incident Tracking
The incident is being tracked under CVE-2026-10735, with a duplicate identifier, CVE-2026-49777, also submitted. This follows a recent breach of the OptinMonster WordPress plugin via a CDN supply chain attack, though the ShapedPlugin compromise appears to stem from a build pipeline vulnerability.
Response and Mitigation
ShapedPlugin released updated versions of the affected plugins, with Product Slider Pro 3.5.4 and Smart Post Show Pro 4.0.2 containing fixes. The company directed users to Real Testimonials Pro 3.2.6, which addressed WPCS-related warnings. A formal statement is pending Wordfence’s confirmation that the patches resolve the issue.
Security Recommendations
Security experts advise administrators to verify plugin integrity and ensure all updates are applied promptly. The incident highlights the risks of compromised software distribution channels and underscores the importance of rigorous validation processes for plugin updates.
About Author
English