ShapedPlugin Supply Chain Attack Backdoors Pro WordPress Plugins via Official Update Channels
Attackers compromised ShapedPlugin's build pipeline, injecting a critical backdoor (CVE-2026-10735) into Pro plugin updates distributed through official channels, affecting over 400,000 sites.
The Wordfence Threat Intelligence Team disclosed on June 16, 2026, that ShapedPlugin, a WordPress plugin vendor with over 400,000 active free installations, suffered a supply-chain compromise. Attackers breached the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels. The backdoor, tracked as CVE-2026-10735 with a CVSS score of 9.8, affects plugins including Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro, allowing unauthenticated attackers to gain backdoor access to affected sites.
The compromise was first reported to Wordfence by a customer on June 11, 2026. Wordfence researchers confirmed the attack and reached out to ShapedPlugin on June 15, 2026. The vendor acknowledged the incident on June 16, 2026, stating they had "implemented the necessary measures to mitigate the issue" and were "preparing updated plugin releases." The attack is particularly insidious because affected site owners followed security best practices by purchasing legitimate licenses and installing updates directly from the vendor's official system.
Technical analysis by Wordfence revealed a two-stage backdoor. Stage 1 involves a malicious file, src/Includes/LicenseLoader.php, loaded via a modified TestimonialPRO.php on every admin page. This loader downloads a payload from a command-and-control server at 194.76.217.28:2871, installs it as a fake plugin using WordPress's Plugin_Upgrader class, reports the victim domain back to the C2, and then self-deletes to cover its tracks. This self-deleting behavior complicates forensic analysis for site owners who discover the infection later.
Stage 2 involves the dropped payload, which installs as wp-content/plugins/woocommerce-subscription/ (note the singular "subscription" versus the legitimate WooCommerce Subscriptions plugin). The backdoor provides persistent, unauthenticated access to the attacker, allowing them to execute arbitrary commands, steal data, or deploy additional malware. Wordfence noted that compromised packages continued to be distributed even after an initial patch for Product Slider Pro (CVE-2026-49777) was released, indicating the attacker maintained access to the distribution pipeline.
ShapedPlugin's free plugins on WordPress.org were not affected; the compromise was limited to Pro versions distributed via Easy Digital Downloads through account.shapedplugin.com. Wordfence had already developed malware detection signatures for the backdoor, with premium customers receiving protection immediately and free users after a 30-day delay. The vendor is expected to release verified, patched versions of all affected plugins once security reviews are complete.
This incident underscores the growing threat of supply-chain attacks targeting WordPress plugin ecosystems. As vendors increasingly rely on automated build and distribution pipelines, a single compromise can cascade to hundreds of thousands of sites. Site administrators are advised to verify plugin integrity, monitor for unexpected files, and ensure they are using the latest patched versions once released. Wordfence continues to provide detection signatures and incident response services for affected customers.