Posted in

Critical Supply Chain Attack Compromises Popular WordPress Plugins Through Official Updates

A serious supply chain attack has impacted several premium WordPress plugins developed by ShapedPlugin, exposing thousands of websites to malware through the vendor’s official update system.

Security researchers discovered that unknown attackers compromised the company’s software distribution pipeline, allowing them to inject malicious code into legitimate plugin updates distributed to paying customers.

Unlike traditional plugin vulnerabilities, this incident affected users who downloaded updates directly from the vendor’s official infrastructure, making it particularly dangerous for website administrators who trusted the source.

Affected Plugins and Versions

The attack targeted the premium versions of the following WordPress plugins:

  • Product Slider Pro for WooCommerce (versions earlier than 3.5.4)
  • Real Testimonials Pro (version 3.2.5)
  • Smart Post Show Pro (versions earlier than 4.0.2)

Importantly, the free versions available through the official WordPress.org repository were not affected. The malicious code was only found in Pro versions distributed through ShapedPlugin’s Easy Digital Downloads (EDD) licensing and update platform.

Critical Security Ratings Assigned

The compromise has received high-severity vulnerability identifiers due to its widespread impact and potential consequences.

The Product Slider Pro for WooCommerce compromise has been assigned CVE-2026-49777 with a maximum CVSS score of 10.0.

Additionally, the overall supply chain attack has been tracked as CVE-2026-10735, carrying a CVSS score of 9.8, highlighting the critical nature of the incident.

How the Malware Worked

According to security researchers, the compromised plugins contained a hidden loader that executed whenever an administrator accessed the WordPress dashboard.

The malicious component connected to a remote command-and-control server and downloaded an additional payload, which was then installed as a fake plugin within the website.

Once activated, the malware:

  • Reported the infected website’s domain to the attacker’s server
  • Removed traces of the initial installer to avoid detection
  • Hid itself from the WordPress plugin management interface
  • Captured administrator usernames and passwords in plaintext
  • Collected two-factor authentication (2FA) codes

These actions allowed attackers to gain and maintain unauthorized access to compromised websites.

Advanced Persistence and Backdoor Capabilities

The fake plugin included several mechanisms designed to ensure long-term access even if parts of the malware were removed.

Researchers found that the malware could:

  • Create multiple persistence methods within WordPress
  • Write arbitrary files through a custom REST API endpoint
  • Deploy a web shell capable of executing server commands remotely
  • Maintain administrator-level control over affected websites

These capabilities significantly increased the difficulty of detecting and removing the infection.

Sensitive Data at Risk

Another concerning element of the attack involved a bundled PHP file named install-persistent.php, which extracted sensitive information from compromised websites.

The file was capable of collecting:

WordPress Configuration Data

  • Complete contents of wp-config.php
  • Database credentials
  • Authentication salts and security keys
  • Debugging configuration settings

Administrator Information

  • Lists of all administrator accounts
  • User registration dates

Email Service Credentials

  • SMTP credentials from popular email plugins, including:
    • WP Mail SMTP
    • Post SMTP
    • Easy WP SMTP

WooCommerce Data

  • Order information from the previous three months
  • Payment method statistics and transaction details

After displaying the gathered information, the file automatically deleted itself, making forensic investigations more challenging.

Evidence Points to Build Pipeline Compromise

Security experts believe the attackers likely compromised ShapedPlugin’s build and release process rather than directly altering plugin packages after publication.

This distinction is important because it suggests attackers gained access to the software development or deployment environment, allowing malicious code to be inserted before official releases were distributed to customers.

ShapedPlugin Responds to the Incident

Following disclosure of the attack, ShapedPlugin acknowledged the security breach and stated that it is reviewing its release and distribution processes.

The company is conducting comprehensive security audits and validation checks before releasing updated versions of the affected plugins.

Future releases are expected to undergo enhanced security testing to prevent similar incidents.

What Website Owners Should Do Immediately

Administrators who installed any of the compromised plugin versions should take immediate action to secure their websites.

Recommended steps include:

  1. Reset all user passwords, especially administrator accounts.
  2. Revoke and regenerate two-factor authentication (2FA) secrets.
  3. Review administrator accounts for unauthorized additions.
  4. Inspect SMTP and email plugin settings for suspicious modifications.
  5. Scan the website for hidden plugins and backdoors.
  6. Check server logs for unusual activity.
  7. Update affected plugins as soon as clean versions become available.
  8. Conduct a full malware and integrity scan of the website.

Final Thoughts

This incident serves as another reminder that supply chain attacks remain one of the most effective threats facing the WordPress ecosystem. Even organizations that follow security best practices can become victims when trusted software vendors are compromised.

Website owners should remain vigilant, monitor plugin updates carefully, and implement layered security controls to reduce the impact of future supply chain attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *