Trojanized WowShipping Pro Plugin Installs Hidden Remote Access Toolkit in Supply Chain Attack
A trojanized copy of the WowShipping Pro WordPress plugin contains a dropper that silently installs a full-featured remote access toolkit, with the vendor releasing a fix on March 22, 2026.
A supply chain attack has compromised the WowShipping Pro WordPress plugin, with a trojanized version v1.0.6 containing a dropper that silently installs a hidden remote access toolkit. The malicious code was discovered by Chad Yoder of Black Anvil Creative, who traced a client site compromise back to the plugin and reported it to Patchstack on April 16, 2026. The trojanized copy originated directly from WPXPO, the plugin's developer, according to the reporter.
The dropper is embedded in the file `includes/class-plugin-actions.php`, which was modified on March 13, 2026—five days after the rest of the package was built on March 8. The injected code uses space indentation while the surrounding file uses tabs, lacks a PHPDoc block unlike other methods, and employs raw cURL and ZipArchive instead of WordPress filesystem APIs, indicating the modification was not made by the original developer.
The attack operates in two stages. Stage 1 is the dropper, which registers a callback on the `admin_init` hook, firing on every admin page load by any authenticated administrator. It searches for a plugin with the slug `woocommerce-notifications`. If not found, it downloads a zip archive from a hardcoded attacker-controlled IP using raw cURL, extracts it into `wp-content/plugins/`, activates the resulting plugin, and sends a beacon containing the victim's domain to the attacker's IP.
Stage 2 is the fake "WooCommerce Notifications" plugin that the dropper installs, which contains the actual malware—a full-featured remote access toolkit. This secondary plugin persists even if the original WowShipping Pro plugin is updated, as updating alone does not remove already-installed malware.
WPXPO released versions 1.0.7 and 1.0.8 on March 22, 2026, which remove the dropper. The changelog entries read simply "Fix: Some Issue Fixed." On March 24, WPXPO sent an email to Pro customers titled "Security Update – Action Required," asking users to update but not describing the nature of the issue, naming the malware, or providing detection or remediation instructions. In private correspondence, WPXPO acknowledged the report and stated they had reviewed their build process, secured their servers, and performed a full audit.
The full scope of the incident is unclear. WPXPO's email stated that "all Pro plugins" should be updated, suggesting the issue may not be limited to WowShipping Pro, but Patchstack has not independently verified other plugins. Site owners running WowShipping Pro should update to at least version 1.0.8 and scan for the secondary malicious plugin. Patchstack has released a mitigation rule but warns it does not guarantee protection if the site is already infected.