Supply Chain Attack Compromises Three ShapedPlugin Premium WordPress Plugins

Attackers breached ShapedPlugin's update mechanism and pushed malicious versions of paid plugins to customers.

Attack targeted premium plugins via build pipeline. The incident struck only three commercial offerings: Product Slider Pro for WooCommerce before 3.5.4, Real Testimonials Pro 3.2.5, and Smart Post Show Pro before 4.0.2. Wordfence firewall telemetry showed the backdoor entered the Pro builds on May 21, 2026, with initial customer complaints about suspicious updates arriving on June 10, 2026.

Researchers at the security firm verified the compromise by pulling infected copies straight from the vendor's site on June 12, 2026. ShapedPlugin publicly recognized the breach four days later. The company told Wordfence, "Our team immediately initiated an investigation upon identifying the concern, and we have already implemented the necessary measures to mitigate the issue."

Malware installs hidden backdoor that steals credentials. Each tainted package included a loader called LicenseLoader.php. The file triggers when an administrator opens the site's dashboard, reaches out to a command-and-control server, fetches the full backdoor, drops it as a concealed plugin mimicking either woocommerce-subscription or woocommerce-notification, phones home, and then removes itself to hide its tracks.

Once active, the disguised plugin quietly gathers WordPress login credentials such as usernames, passwords, session cookies, user roles, IP addresses, and browser details. It also pulls 2FA secrets stored by common security plugins, database login information and authentication keys from wp-config.php, administrator account records, SMTP and email service logins, plus WooCommerce order records covering the previous three months that contain payment details.

Compromise limited to premium builds, free versions clean. ShapedPlugin offers front-end, UI, and content display tools whose free editions exceed 400,000 active installs. WordPress.org-hosted packages stayed untouched, pointing to a breach isolated inside the vendor's paid release systems. Analysts from Wordfence, CyberInsider, and Mallory.ai all concluded the changes resulted from a build pipeline intrusion, citing automated timestamp patterns and leftover Git references inside the delivered files.

WordPress assigned CVE-2026-10735 to the event, while CVE-2026-49777 was filed as a duplicate. Fixes appeared in Product Slider Pro 3.5.4 and Smart Post Show Pro 4.0.2. Real Testimonials Pro 3.2.6 also shipped, listing only a correction for WPCS-related warnings. The company indicated it would issue a full public statement once Wordfence validated that the patches resolved every issue. This episode arrives soon after a separate CDN-based supply-chain breach that hit OptinMonster earlier in 2026.

Wordfence has advised administrators to treat any premium installations from April through June 2026 as potentially compromised.