CyberInsider

Reliable cybersecurity news and resources

General

Latest News

About

CyberInsider covers the latest news in the cybersecurity and data privacy world. In addition to news, we also publish in-depth guides and resources.
See our Mission >

Supply-chain attack injects backdoor on ShapedPlugin WordPress software

By Leave a Comment
LinkedInReddit
Supply-chain attack injects backdoor on ShapedPlugin WordPress software

A supply-chain attack targeted ShapedPlugin, a WordPress plugin developer with more than 400,000 active installations across its free products.

The backdoored premium plugin releases were distributed through the company's official update infrastructure.

The malware provided attackers with persistent access to websites, stole administrator credentials and two-factor authentication (2FA) secrets, and deployed multiple remote access mechanisms.

The incident was disclosed by the Wordfence Threat Intelligence team after it was notified of suspicious activity on June 11, 2026. During its investigation, Wordfence found that attackers had compromised ShapedPlugin's build and distribution pipeline and were injecting malicious code into premium plugin packages delivered through the vendor's Easy Digital Downloads (EDD) update system.

ShapedPlugin develops WordPress plugins for sliders, carousels, testimonials, and content displays. While its free plugins are distributed through WordPress.org, premium versions are sold and updated through the company's own licensing platform. According to Wordfence, the compromise affected only premium products distributed through ShapedPlugin's commercial infrastructure.

ShapedPlugin said it immediately launched an investigation after being notified and is preparing verified plugin releases following security reviews and validation testing.

Malware delivered through legitimate updates

Wordfence confirmed that compromised copies of Real Testimonials Pro version 3.2.5 were being served from ShapedPlugin's official update endpoint as recently as June 12. The researchers also linked the attack to Product Slider Pro for WooCommerce and Smart Post Pro.

The malicious packages contained a file named LicenseLoader.php, which was loaded automatically within the WordPress admin panel. The loader contacted a command-and-control (C2) server at 194.76.217.28:2871, downloaded a second-stage payload, installed it as a fake plugin, reported the victim's domain to the attackers, and then deleted itself to hinder forensic analysis.

The payload disguised itself as plugins named woocommerce-subscription or woocommerce-notification, mimicking legitimate WooCommerce-related extensions. It bundled several attacker tools, including Tiny File Manager 2.6, Adminer 5.2.1, a web shell, a REST API backdoor, credential-stealing components, and a login bypass mechanism.

Credentials and 2FA secrets stolen

The malware intercepted WordPress authentication events to collect usernames, passwords, session cookies, IP addresses, browser details, and user privileges.

It also targeted TOTP secrets stored by several popular WordPress two-factor authentication plugins, including WP 2FA, Wordfence Login Security, Really Simple SSL 2FA, and the Two-Factor plugin. The stolen information was exfiltrated to generate.2faplugin.org.

By obtaining both passwords and TOTP seeds, attackers could potentially maintain access to accounts even after password resets.

Signs of a build pipeline compromise

Wordfence says the evidence points to a compromise of ShapedPlugin's build pipeline rather than simple package tampering.

Timestamp analysis showed that only four files were modified within a two-hour window on May 21, 2026, suggesting an automated injection process. The researchers also found references to private Git repositories within plugin metadata and observed changes in deployment patterns tied to ShapedPlugin's release workflow.

The attackers appear to have had access to both free and commercial release channels but selectively backdoored premium plugins, likely to avoid detection and target higher-value victims.

The broader compromise is tracked as CVE-2026-10735, while Product Slider Pro was previously assigned CVE-2026-49777.

Administrators urged to investigate

Wordfence recommends that anyone who installed ShapedPlugin premium plugins between April and June 2026 assume their site may have been compromised.

Administrators should scan for malware, check for suspicious plugins such as woocommerce-subscription and woocommerce-notification, remove unauthorized accounts, rotate WordPress, database, SMTP, and API credentials, and regenerate all two-factor authentication secrets.

The disclosure comes days after another major WordPress supply-chain attack affecting OptinMonster, TrustPulse, and PushEngage, highlighting the growing trend of attackers compromising trusted software distribution channels to gain access to large numbers of websites.

If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.

LinkedInReddit

More from CyberInsider

About Bill Mann

Bill specializes in explaining complex technical topics to a non-technical audience. In his 30+ year career, he has covered many of the technological advances that shape our lives. Today, Bill uses those skills to help people protect their privacy and security against the ever-growing assaults on both.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Share to...
BlueskyBufferCopyFlipboardHacker NewsLineLinkedInMastodonMessengerMixNextdoorPinterestPrintRedditSMSTelegramThreadsTumblrVKWhatsAppXingYummly