A supply chain attack targeting premium plugins from ShapedPlugin exposed WordPress websites to credential theft and remote access after malicious code was distributed through the company’s official update system.
The incident affected three paid plugins: Product Slider Pro for WooCommerce versions earlier than 3.5.4, Real Testimonials Pro version 3.2.5, and Smart Post Show Pro versions earlier than 4.0.2. Free plugin versions available through WordPress.org were not impacted.
Security researchers at Wordfence discovered that the compromised plugin updates included a malicious file called LicenseLoader.php. The file activated when a site administrator logged into the WordPress dashboard, connected to an attacker-controlled server, downloaded a second-stage backdoor, installed it as a fake WooCommerce plugin, and then deleted itself to hide evidence.
The fake plugins, named woocommerce-subscription and woocommerce-notification, were hidden from the WordPress plugin list and designed to steal sensitive information. This included WordPress usernames, passwords, session cookies, administrator details, database credentials, authentication keys, email service credentials, two-factor authentication secrets, and WooCommerce order information from the previous three months.
According to researchers from Defiant, the malicious code was injected into ShapedPlugin’s premium builds on May 21, while customer reports of suspicious updates began appearing on June 10. The researchers confirmed the compromise on June 12, and ShapedPlugin acknowledged the incident on June 16.
Investigators believe attackers compromised ShapedPlugin’s build pipeline rather than exploiting a vulnerability in the plugins themselves. Evidence includes automated file modifications, suspicious timestamps, and Git build references found inside the infected packages.
The incident is being tracked under CVE-2026-10735. ShapedPlugin has released security updates for the affected plugins, including Product Slider Pro 3.5.4, Smart Post Show Pro 4.0.2, and Real Testimonials Pro 3.2.6.
Website administrators using any of the affected plugins should update immediately, check for hidden WooCommerce-related plugins, reset all passwords, regenerate two-factor authentication codes, review administrator accounts for unauthorized additions, and inspect their sites for signs of compromise.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The ShapedPlugin breach follows another recent WordPress supply chain incident involving OptinMonster, highlighting the growing risk of attacks targeting software vendors and their update infrastructure.
