A sophisticated supply chain attack against WordPress plugin vendor ShapedPlugin injected credential-stealing backdoor code into official plugin updates for three of its premium products. Any WordPress site that received one of the tainted updates between May 21 and June 10, 2026 should be treated as fully compromised: admin passwords, 2FA codes, SMTP credentials, and three months of WooCommerce order data were silently exfiltrated.
Unlike typical vulnerability disclosures, this is not a flaw in the plugin code — it is a breach of the vendor's own build and distribution pipeline. Attackers compromised ShapedPlugin's internal systems and poisoned the update packages themselves. Every site that auto-updated or manually updated during the three-week window received the backdoor directly from the vendor's servers.
CVE Reference
- CVE-2026-10735 — Supply chain loader/incident identifier
- CVE-2026-49777 — Product Slider Pro for WooCommerce payload
- CVSS Score: 10.0 (Critical — maximum)
- Active Exploitation: YES — actively exploited May 21 – June 10, 2026
- Estimated exposed sites: 400,000+
Affected Plugins and Versions
| Plugin | Backdoored Version | Clean Version |
|---|---|---|
| Product Slider Pro for WooCommerce | Before 3.5.4 | 3.5.4+ |
| Real Testimonials Pro | 3.2.5 specifically | Latest release |
| Smart Post Show Pro | Before 4.0.2 | 4.0.2+ |
Note: Free versions of ShapedPlugin products distributed via WordPress.org were not affected. Only the paid Pro versions distributed through ShapedPlugin's own update servers were compromised.
How the Supply Chain Attack Worked
The attack followed a well-established supply chain pattern. Rather than targeting each victim individually, the attackers compromised ShapedPlugin's build and distribution infrastructure and let ordinary WordPress plugin update mechanisms do the work.
The malicious loader embedded in the backdoored plugin files executes on every WordPress admin page load and performs the following sequence:
- Fetches a remote payload from a command-and-control server at
194.76.217.28:2871 - Installs the payload as a fake WordPress plugin in the plugin directory
- Auto-activates the fake plugin to gain code execution in the WordPress context
- Reports the victim domain back to the C2 server for cataloging
- Erases itself to cover tracks and complicate forensic analysis
The installed payload collected and exfiltrated:
- WordPress admin credentials (username and password in plaintext)
- 2FA/TOTP codes at the moment of admin login
- SMTP credentials configured in email plugins (API keys, passwords)
- Three months of WooCommerce order data (customer names, addresses, order details)
After exfiltration, the payload self-deleted, leaving minimal forensic artifacts and making incident response significantly more difficult. The self-erasure mechanism is one reason the attack continued undetected for nearly three weeks.
Why Supply Chain Attacks Are Especially Dangerous
In a conventional vulnerability exploit, attackers must scan for and target vulnerable sites individually. In a supply chain attack, the attacker leverages the trust relationship between vendors and customers. When WordPress sites receive a plugin update from the vendor's own servers, no security tool or administrator review ordinarily treats that as suspicious — the update is expected and legitimate-seeming by design.
This means that defenses designed to block malicious traffic (WAFs, IP blocklists, rate limiting) provide no protection. The malicious code arrives through a trusted, expected channel: the WordPress update mechanism.
The C2 IP address (194.76.217.28) in outbound connection logs is the most reliable indicator of compromise available. Any historical connection from a WordPress server to this IP during the window should be treated as confirmation of compromise.
Impact: Who Is at Risk
Any WordPress site that installed or auto-updated the affected plugins between May 21 and June 10, 2026 should assume full administrative compromise. Sites particularly at risk include:
- WooCommerce stores — three months of customer order data (names, addresses, order contents) was exfiltrated
- Development agencies managing multiple client sites using these premium plugins
- Any site with auto-updates enabled for ShapedPlugin Pro products — these sites received the backdoor silently without any admin action
Remediation
If you installed any affected version during the compromise window (May 21 – June 10, 2026), treat the site as fully compromised and follow this response sequence:
- Immediately reset all WordPress admin passwords for all users on the affected site
- Revoke and regenerate all 2FA secrets — TOTP codes active during the compromise window are compromised; reset authenticator apps for all admin accounts
- Audit all administrator accounts — check for unauthorized admin accounts created by the malware (Users → All Users, sorted by role)
- Audit all email plugin configurations — check SMTP credentials, API keys for Mailchimp, SendGrid, and other email services for unauthorized changes
- Review WooCommerce customer data — you may have GDPR/CCPA notification obligations if customer order data was exposed
- Update to clean versions: Product Slider Pro 3.5.4+, Smart Post Show Pro 4.0.2+, latest Real Testimonials Pro
- Conduct a full server scan for unauthorized files in
wp-content/plugins/— the self-deleting payload may have left partial artifacts - Review outbound traffic logs for any connections to
194.76.217.28— any match confirms compromise
General supply chain hygiene going forward:
- Avoid enabling auto-updates for premium plugins without monitoring in place
- Review plugin changelogs for updates pushed outside the vendor's normal release cadence — emergency releases mid-cycle should trigger manual review
- Use file integrity monitoring (Wordfence, WP Cerber) to detect unexpected plugin file changes
- Monitor outbound connections from web servers to detect C2 communication patterns
