A supply‑chain compromise at WordPress vendor ShapedPlugin led to malicious code being shipped through its official update system for certain Pro plugins. The incident is tracked as CVE-2026-10735, with CVE-2026-49777 referenced as a duplicate in reporting. According to analyses from Wordfence and BleepingComputer, attackers tampered with the vendor’s build and distribution pipeline, causing paying customers to receive backdoored releases through licensed update channels — not from third‑party mirrors or pirated downloads.
Why it matters: this is a classic trust-abuse scenario. Site owners followed best practices by buying licenses and applying vendor updates, yet still received a compromised package. It’s a reminder that supply-chain security matters as much as endpoint security.
What’s confirmed
Both sources indicate the compromise impacted Pro builds distributed via ShapedPlugin’s commercial infrastructure, while free versions hosted on WordPress.org were reported as clean. Wordfence rates the issue critical (CVSS 9.8) under CVE-2026-10735 and notes that the attack used a two‑stage backdoor delivered in legitimate‑looking packages.
BleepingComputer reports that the following Pro products were affected:
- Product Slider Pro for WooCommerce before 3.5.4
- Real Testimonials Pro 3.2.5
- Smart Post Show Pro before 4.0.2
Wordfence’s technical write‑up describes a malicious loader named LicenseLoader.php that runs when a WordPress administrator accesses the dashboard. The loader contacts a command‑and‑control server at 194.76.217.28:2871, fetches a second‑stage backdoor, installs it as a fake plugin, reports back to the operator, and then self‑deletes to hide its trail. Observed fake plugin names include “woocommerce-subscription” and “woocommerce-notification” (both intentionally singular to resemble legitimate components) and the malware hides itself from the normal plugin list.
The second stage attempts to harvest sensitive data, including:
- WordPress login details (usernames, passwords, session cookies, roles, and some browser/IP context)
- Two‑factor authentication secrets from popular 2FA plugins
- Database credentials and WordPress authentication keys from wp-config.php
- Administrator account details and SMTP service credentials
- Recent WooCommerce order data
Wordfence notes exfiltration of 2FA material to generate.2faplugin.org. The overall behavior is consistent with credential theft, long‑term persistence, and operator-controlled file write capabilities described in the reporting.
Scope and status
Evidence from Wordfence and BleepingComputer points to a build/distribution pipeline compromise specific to ShapedPlugin’s Pro releases, not the free WordPress.org packages. Wordfence obtained a backdoored Pro build from the vendor’s official endpoint during its investigation. BleepingComputer cites Wordfence’s assessment that the backdoor was injected into Pro builds on May 21, with customer reports surfacing June 10 and the vendor acknowledging the issue on June 16.
Regarding fixes, BleepingComputer reports that updates were provided for Product Slider Pro (3.5.4) and Smart Post Show Pro (4.0.2). The Real Testimonials Pro changelog lists version 3.2.6 with a non‑security entry (“WPCS‑related warnings”); per the reporting, ShapedPlugin indicated a broader statement would follow Wordfence’s confirmation that the issue was addressed. Details beyond these notes were not available in the sources at the time of writing.
Practical next steps for site owners
Based on the evidence, immediate checks and actions should focus on potential footholds and sensitive material that may have been exposed:
- Inspect for fake WooCommerce plugins using singular names: “woocommerce-subscription” or “woocommerce-notification.” These may be hidden from the plugins list, so review the wp-content/plugins/ directory directly if needed.
- If any fake plugin is found, reset all passwords on the site (including WordPress admin, database, and any integrated services), regenerate two‑factor authentication secrets, and review user accounts for unauthorized additions.
These steps are drawn from the recommendations relayed in the reporting. Because the initial loader is designed to self‑delete, evidence can be transient, and a clean admin view does not guarantee a clean system.
What remains unclear
- The precise root cause inside the build pipeline is not publicly detailed. Both sources point to a build/distribution compromise, but do not provide a definitive mechanism.
- The full list of affected Pro versions beyond those named above may evolve as reviews complete. The WordPress.org‑hosted free versions were reported as unaffected.
- CVE-2026-49777 was referenced as a duplicate; CVE-2026-10735 is the primary tracker in the reports.
Staying safer around WordPress supply chains
No single control prevents supply‑chain abuse, but layered precautions help reduce impact:
- Keep strong credential hygiene and enable 2FA for privileged accounts; regenerate secrets after incidents.
- Monitor for unexpected plugins, especially ones that mimic well‑known names, and use reputable security scanners capable of detecting hidden or obfuscated components.
- Treat unusual update behavior (unexpected prompts, unlisted changelog items, or sudden admin anomalies) as a signal to pause and verify.
Bottom line
Trusted update channels are powerful — for defenders and attackers alike. The ShapedPlugin incident shows how a compromised build pipeline can turn routine updates into an intrusion vector. According to Wordfence and BleepingComputer, only commercial Pro releases distributed by the vendor’s infrastructure were affected, with free WordPress.org packages reported clean. Site owners who discover the fake WooCommerce plugins should reset credentials, regenerate 2FA, and audit users, then follow vendor guidance as verified updates become available.
Sources: Wordfence, BleepingComputer
Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Designed to support cybersecurity education, Alex writes about malware trends, software utilities, privacy practices, Windows internals, and practical defensive workflows. Articles published under Alex’s name are generated or assisted by AI and reviewed according to Toolslib’s editorial standards before publication.
Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!
