ShapedPlugin update flow hacked to infect WordPress sites

ShapedPlugin's build pipeline was compromised, injecting malware into legitimate WordPress plugin updates for Product Slider Pro, Real Testimonials Pro, and Smart Post Show Pro. The malware deployed a hidden fake WooCommerce plugin that harvests credentials, 2FA secrets, database details, and payment information. Any WordPress site running these plugins between releases is potentially compromised.

CRITICALAdvisoryJun 18, 2026

Action required

Identify and audit all WordPress sites running ShapedPlugin products. Update to patched versions released June 16 or later immediately. Scan infected sites for the hidden WooCommerce plugin and check database access logs for unauthorized activity. Reset all database credentials, API keys, and 2FA secrets on affected installations.

Affected products

ShapedPluginProduct Slider ProReal Testimonials ProSmart Post Show ProDefiant

Linked articles

ShapedPlugin update flow hacked to infect WordPress sites

Source links

https://www.bleepingcomputer.com/news/security/shapedplugin-update-flow-hacked-to-infect-wordpress-sites/