ShapedPlugin update flow hacked to infect WordPress sites
ShapedPlugin's update system compromised to distribute malware-infected WordPress plugins to paying customers
Summary
Multiple WordPress plugins from ShapedPlugin were compromised via a build pipeline attack that injected malware into paid plugin releases distributed through the vendor's official update system. The malware deployed a hidden fake WooCommerce plugin that steals credentials, 2FA secrets, database details, and payment information from infected sites. The incident affected Product Slider Pro, Real Testimonials Pro, and Smart Post Show Pro before patched versions were released on June 16.
Full text
ShapedPlugin update flow hacked to infect WordPress sites By Bill Toulas June 18, 2026 08:55 AM 0 Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack that distributed infected releases to paying customers via the vendor's official update system. The malware delivered this way installed a fake plugin that impersonates WooCommerce components, steals credentials, and grants operators remote file-writing capabilities. ShapedPlugin is a WordPress plugin vendor specializing in front-end/UI components and content display plugins, with a total active installation base of more than 400,000 for the free products. The security incident affected only three paid plugins: Product Slider Pro before 3.5.4 for WooCommerce, Real Testimonials Pro 3.2.5, and Smart Post Show Pro before 4.0.2. According to data WordPress security company Defiant collected from its WordFence firewall, the backdoor was injected into ShapedPlugin's Pro builds on May 21, and the first customer reports about potentially malicious updates emerged on June 10. The researchers confirmed the breach after downloading infected plugins from the ShapedPlugin site on June 12, and the publisher acknowledged the incident on June 16. “Our team immediately initiated an investigation upon identifying the concern, and we have already implemented the necessary measures to mitigate the issue,” ShapedPlugin told Wordfence. The publisher added that they were preparing updated plugin releases and validating them before pushing them to the update channels. Supply-chain compromise According to Wordfence’s analysis, the infected plugins contain a malicious loader file (LicenseLoader.php) that activates when a WordPress administrator accesses the website’s admin panel. It contacts the command-and-control (C2) server, downloads the second-stage (backdoor), installs it as a fake plugin (woocommerce-subscription or woocommerce-notification), reports to the attacker, and then self-deletes to erase evidence. The fake plugin, which is hidden from the WordPress plugin list, attempts to steal the following information on infected sites: WordPress login credentials (usernames, passwords, session cookies, user roles, IP addresses, and browser details) Two-factor authentication (2FA) secrets from popular WordPress security plugins Database credentials and WordPress authentication keys from wp-config.php Administrator account details SMTP/email service credentials WooCommerce order data from the past three months, including payment method information The researchers believe this was a build pipeline compromise, based on the file modifications, timestamp patterns suggesting automated injection, and Git build references contained in the packages. Also, releases hosted on WordPress.org were confirmed to be clean, suggesting that the attackers gained access to ShapedPlugin’s release infrastructure. WordPress is currently tracking the incident under CVE-2026-10735, while CVE-2026-49777 was also submitted as a duplicate. The ShapedPlugin compromise comes shortly after another major WordPress product, OptinMonster, was breached in a CDN supply-chain attack possible due to a flaw in a marketing server that allowed the hacker to steal credentials for a CDN account. In the ShapedPlugin case, though, the point of compromise appears to be the build pipeline. BleepingComputer has contacted the plugin vendor for a statement, and the company pointed us to the release of Real Testimonial Pro version 3.2.6, which lists a single fix described as “Fix: Some WPCS-related warnings.” ShapedPlugin also said that an official statement will be published after Wordfence's confirmation that the patches addressed the issue. According to Wordfence, fixes were made available on Product Slider Pro in version 3.5.4 and Smart Post Show Pro in version 4.0.2. If fake WooCommerce plugins are found, website administrators are recommended to reset all passwords on their sites, regenerate two-factor authentication (2FA) secrets, and review user lists for rogue additions. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: OptinMonster WordPress plugin hacked in CDN supply-chain attackWP Maps Pro bug exploited to create admin accounts on WordPress sitesAvada Builder WordPress plugin flaws allow site credential theftOfficial CheckMarx Jenkins package compromised with infostealerGitHub announces npm security changes to tackle supply-chain attacks
Indicators of Compromise
- malware — woocommerce-subscription
- malware — woocommerce-notification
- malware — LicenseLoader.php
- cve — CVE-2026-10735
- cve — CVE-2026-49777