Multiple **WordPress** plugins developed by **ShapedPlugin** have been compromised in a supply chain attack, where unknown threat actors successfully tampered with official release channels to distribute malicious backdoor code. "Attackers compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels," **Wordfence** stated in a recent analysis. This critical incident primarily impacts the following **ShapedPlugin** premium offerings: * **Product Slider Pro for WooCommerce** (versions before 3.5.4) * **Real Testimonials Pro** (version 3.2.5) * **Smart Post Show Pro** (versions before 4.0.2) It's crucial to note that only the Pro plugin builds, distributed via **ShapedPlugin**'s **Easy Digital Downloads (EDD)** infrastructure through `account.shapedplugin[.]com`, are affected. The free versions of these plugins available on **WordPress.org** remain uncompromised. The supply chain compromise associated with **Product Slider Pro for WooCommerce** has been assigned **CVE-2026-49777**, boasting a maximum severity **CVSS** score of 10.0. The overarching incident has been identified as **CVE-2026-10735**, with a **CVSS** score of 9.8.  **Wordfence**'s security researchers detailed that the compromised plugin versions integrate a loader. This loader activates on every admin page, initiating a fetch for a payload from a remote server (`194.76.217[.]28:2871`). Subsequently, it installs and activates this payload as a disguised, fake plugin. Upon activation, the malware reports the victim's domain back to the command-and-control server and then self-erases to obscure its presence and complicate incident response efforts. The counterfeit plugin, designed to remain hidden from the **WordPress** admin plugin list, is capable of capturing plaintext credentials and two-factor authentication (**2FA**) codes. Furthermore, it establishes multiple persistence mechanisms, enabling arbitrary file writes via a custom **REST** endpoint when provided with a specific authentication token. It can also deploy a web shell with command execution capabilities. Finally, a bundled **PHP** file named "install-persistent.php" is used to exfiltrate sensitive data, including: * Full contents of `wp-config.php`, encompassing database credentials, authentication keys, and debug settings. * All administrator accounts with their registration dates. * Mail plugin credentials from **WP Mail SMTP**, **Post SMTP**, and **Easy WP SMTP**. * **WooCommerce** order data from the last three months, including payment method breakdowns. Once this data is displayed, the `install-persistent.php` file is deleted. Evidence suggests that the attack likely originated from a compromise of the build pipeline rather than a direct poisoning of the packages. The severity of this attack lies in its ability to target site owners who have purchased legitimate licenses and installed updates directly from the vendor's official update system, unwittingly exposing them to sophisticated malware. **ShapedPlugin** has acknowledged the incident following notification and is actively reviewing its distribution and release processes to bolster the integrity of its products. New, validated versions of the affected plugins are expected to be released after comprehensive security reviews. Site owners who suspect they have installed the malicious versions are strongly advised to take immediate action: * Reset all user passwords. * Revoke and regenerate **2FA** secrets for all users. * Thoroughly review administrator accounts for any unauthorized additions. * Check mail plugin configurations for modified **SMTP** credentials.