Multiple **WordPress** plugins developed by **ShapedPlugin** have been targeted in a supply chain attack, resulting in infected releases being delivered to paying customers through the vendor's legitimate update system. This incident highlights the persistent threat of compromised software delivery pipelines. The distributed malware installs a deceptive plugin that mimics **WooCommerce** components. Its primary objectives include credential theft and establishing remote file-writing capabilities for the attackers. **ShapedPlugin** specializes in front-end and UI components for **WordPress**, with its free products alone boasting over 400,000 active installations.  ### Affected Plugins and Timeline The security breach specifically impacted three paid plugins: * **Product Slider Pro** (versions prior to 3.5.4 for **WooCommerce**) * **Real Testimonials Pro** (version 3.2.5) * **Smart Post Show Pro** (versions prior to 4.0.2) According to data from **WordPress** security firm **Defiant** (makers of **WordFence**), the backdoor was injected into **ShapedPlugin**'s Pro builds on May 21. Customer reports of potentially malicious updates began surfacing on June 10. Researchers confirmed the breach on June 12 after downloading infected plugins directly from the **ShapedPlugin** website. The publisher officially acknowledged the incident on June 16. “Our team immediately initiated an investigation upon identifying the concern, and we have already implemented the necessary measures to mitigate the issue,” **ShapedPlugin** communicated to **Wordfence**. The vendor also stated they were preparing and validating updated plugin releases before pushing them to their update channels. ### Understanding the Supply Chain Compromise **Wordfence**'s analysis revealed that the infected plugins contain a malicious loader file, `LicenseLoader.php`. This file activates when a **WordPress** administrator accesses the website’s admin panel. Upon activation, `LicenseLoader.php` contacts a command-and-control (C2) server to download a second-stage backdoor. This backdoor is then installed as a fake plugin, masquerading as either `woocommerce-subscription` or `woocommerce-notification`. After reporting to the attacker, the loader file self-deletes to remove evidence. The stealthy fake plugin, hidden from the standard **WordPress** plugin list, attempts to exfiltrate a wide array of sensitive information, including: * **WordPress** login credentials (usernames, passwords, session cookies, user roles, IP addresses, browser details) * Two-factor authentication (2FA) secrets from popular **WordPress** security plugins * Database credentials and **WordPress** authentication keys from `wp-config.php` * Administrator account details * SMTP/email service credentials * **WooCommerce** order data from the past three months, including payment method information Researchers suspect a build pipeline compromise, citing file modifications, timestamp patterns indicative of automated injection, and Git build references within the packages. Significantly, releases hosted on **WordPress.org** were confirmed to be clean, suggesting attackers gained access specifically to **ShapedPlugin**’s proprietary release infrastructure. This incident is being tracked under **CVE-2026-10735**, with **CVE-2026-49777** filed as a duplicate. ### Broader Context and Remediation This **ShapedPlugin** compromise follows closely on the heels of another major **WordPress** product, **OptinMonster**, which experienced a CDN supply chain attack. In that case, a flaw in a marketing server allowed attackers to steal CDN account credentials. The **ShapedPlugin** incident, however, points to a compromise within the build pipeline itself. **ShapedPlugin** has since pointed to the release of **Real Testimonial Pro version 3.2.6**, which lists a fix described as “Fix: Some WPCS-related warnings.” An official statement is pending **Wordfence**'s confirmation that the patches fully address the issue. **Wordfence** has confirmed that fixes are available in **Product Slider Pro version 3.5.4** and **Smart Post Show Pro version 4.0.2**. Site administrators who discover these fake **WooCommerce** plugins are strongly advised to immediately reset all site passwords, regenerate two-factor authentication (2FA) secrets, and thoroughly review user lists for any unauthorized additions.