A serious supply chain attack has impacted several premium WordPress plugins developed by ShapedPlugin, exposing thousands of websites to malware through the vendor’s official update system.
Security researchers discovered that unknown attackers compromised the company’s software distribution pipeline, allowing them to inject malicious code into legitimate plugin updates distributed to paying customers.
Unlike traditional plugin vulnerabilities, this incident affected users who downloaded updates directly from the vendor’s official infrastructure, making it particularly dangerous for website administrators who trusted the source.
Affected Plugins and Versions
The attack targeted the premium versions of the following WordPress plugins:
- Product Slider Pro for WooCommerce (versions earlier than 3.5.4)
- Real Testimonials Pro (version 3.2.5)
- Smart Post Show Pro (versions earlier than 4.0.2)
Importantly, the free versions available through the official WordPress.org repository were not affected. The malicious code was only found in Pro versions distributed through ShapedPlugin’s Easy Digital Downloads (EDD) licensing and update platform.
Critical Security Ratings Assigned
The compromise has received high-severity vulnerability identifiers due to its widespread impact and potential consequences.
The Product Slider Pro for WooCommerce compromise has been assigned CVE-2026-49777 with a maximum CVSS score of 10.0.
Additionally, the overall supply chain attack has been tracked as CVE-2026-10735, carrying a CVSS score of 9.8, highlighting the critical nature of the incident.
How the Malware Worked
According to security researchers, the compromised plugins contained a hidden loader that executed whenever an administrator accessed the WordPress dashboard.
The malicious component connected to a remote command-and-control server and downloaded an additional payload, which was then installed as a fake plugin within the website.
Once activated, the malware:
- Reported the infected website’s domain to the attacker’s server
- Removed traces of the initial installer to avoid detection
- Hid itself from the WordPress plugin management interface
- Captured administrator usernames and passwords in plaintext
- Collected two-factor authentication (2FA) codes
These actions allowed attackers to gain and maintain unauthorized access to compromised websites.
Advanced Persistence and Backdoor Capabilities
The fake plugin included several mechanisms designed to ensure long-term access even if parts of the malware were removed.
Researchers found that the malware could:
- Create multiple persistence methods within WordPress
- Write arbitrary files through a custom REST API endpoint
- Deploy a web shell capable of executing server commands remotely
- Maintain administrator-level control over affected websites
These capabilities significantly increased the difficulty of detecting and removing the infection.
Sensitive Data at Risk
Another concerning element of the attack involved a bundled PHP file named install-persistent.php, which extracted sensitive information from compromised websites.
The file was capable of collecting:
WordPress Configuration Data
- Complete contents of wp-config.php
- Database credentials
- Authentication salts and security keys
- Debugging configuration settings
Administrator Information
- Lists of all administrator accounts
- User registration dates
Email Service Credentials
- SMTP credentials from popular email plugins, including:
- WP Mail SMTP
- Post SMTP
- Easy WP SMTP
WooCommerce Data
- Order information from the previous three months
- Payment method statistics and transaction details
After displaying the gathered information, the file automatically deleted itself, making forensic investigations more challenging.
Evidence Points to Build Pipeline Compromise
Security experts believe the attackers likely compromised ShapedPlugin’s build and release process rather than directly altering plugin packages after publication.
This distinction is important because it suggests attackers gained access to the software development or deployment environment, allowing malicious code to be inserted before official releases were distributed to customers.
ShapedPlugin Responds to the Incident
Following disclosure of the attack, ShapedPlugin acknowledged the security breach and stated that it is reviewing its release and distribution processes.
The company is conducting comprehensive security audits and validation checks before releasing updated versions of the affected plugins.
Future releases are expected to undergo enhanced security testing to prevent similar incidents.
What Website Owners Should Do Immediately
Administrators who installed any of the compromised plugin versions should take immediate action to secure their websites.
Recommended steps include:
- Reset all user passwords, especially administrator accounts.
- Revoke and regenerate two-factor authentication (2FA) secrets.
- Review administrator accounts for unauthorized additions.
- Inspect SMTP and email plugin settings for suspicious modifications.
- Scan the website for hidden plugins and backdoors.
- Check server logs for unusual activity.
- Update affected plugins as soon as clean versions become available.
- Conduct a full malware and integrity scan of the website.
Final Thoughts
This incident serves as another reminder that supply chain attacks remain one of the most effective threats facing the WordPress ecosystem. Even organizations that follow security best practices can become victims when trusted software vendors are compromised.
Website owners should remain vigilant, monitor plugin updates carefully, and implement layered security controls to reduce the impact of future supply chain attacks.
