Paid ShapedPlugin Updates Smuggle Malware Into WordPress

ShapedPlugin WordPress plugins were turned into a malware delivery channel after attackers compromised the vendor’s official update flow and pushed infected premium releases to paying customers. The breach matters because the malicious code arrived through the same update path customers normally trust, not through nulled plugins or random download sites.

Multiple paid plugins from ShapedPlugin were compromised in a supply chain attack, according to BleepingComputer. The infected releases installed a fake WooCommerce-themed plugin, stole credentials and gave attackers remote file-writing capabilities.

ShapedPlugin update system served infected WordPress plugin releases to paying customers

The affected products were Product Slider Pro before 3.5.4 for WooCommerce, Real Testimonials Pro 3.2.5, and Smart Post Show Pro before 4.0.2. ShapedPlugin’s free products have more than 400,000 active installations, but the reported compromise hit only three paid plugins distributed through the vendor’s commercial update system.

That distinction is the story. Customers who paid for Pro versions and accepted official updates were exposed through the trusted delivery path.

Wordfence data collected from its firewall showed the backdoor was injected into ShapedPlugin’s Pro builds on May 21. The first customer reports about potentially malicious updates appeared on June 10, researchers confirmed the breach after downloading infected plugins from ShapedPlugin’s site on June 12, and the publisher acknowledged the incident on June 16.

“Our team immediately initiated an investigation upon identifying the concern, and we have already implemented the necessary measures to mitigate the issue,” ShapedPlugin told Wordfence.

ShapedPlugin also said it was preparing updated plugin releases and validating them before pushing them through update channels. BleepingComputer reported that the company said an official statement would follow after Wordfence confirms the patches addressed the issue.

The ShapedPlugin breach turns routine WordPress updates into a malware delivery risk

The malware sat inside a file named LicenseLoader.php. Wordfence’s analysis found that it activated when a WordPress administrator opened the site’s admin panel, contacted a command-and-control server, downloaded a second-stage backdoor, installed it as a fake plugin, reported back to the attacker and then deleted itself to reduce evidence.

The fake plugin impersonated WooCommerce-related components under names including woocommerce-subscription or woocommerce-notification. It was hidden from the WordPress plugin list, which means an admin could miss it during a normal dashboard review.

The confirmed data targets were broad:

• WordPress credentials: Usernames, passwords, session cookies, user roles, IP addresses and browser details.
• 2FA secrets: Secrets from popular WordPress security plugins.
• Configuration secrets: Database credentials and WordPress authentication keys from wp-config.php.
• Admin data: Administrator account details.
• Email credentials: SMTP and email service credentials.
• Commerce data: WooCommerce order data from the past three months, including payment method information.

The source material supports a hard conclusion: this was not ordinary plugin malware dropped after a weak password. The malicious code moved through the vendor’s own release channel, which makes the update itself the infection vector.

Wordfence researchers believe this was a build pipeline compromise, based on file modifications, timestamp patterns suggesting automated injection and Git build references inside the packages. Releases hosted on WordPress.org were confirmed clean, which points away from the public plugin repository and toward ShapedPlugin’s release infrastructure.

That changes the risk model for affected site owners. A clean-looking update can pass the first smell test because it comes from the expected vendor, carries the expected product name and lands in the expected admin workflow.

WordPress is tracking the incident under CVE-2026-10735. CVE-2026-49777 was also submitted as a duplicate, according to the supplied source material.

BleepingComputer also linked the timing to another WordPress supply chain incident involving OptinMonster, where a CDN compromise followed a flaw in a marketing server that let an attacker steal CDN account credentials. In ShapedPlugin’s case, the suspected weak point is different: the build pipeline.

For readers tracking broader WordPress compromise patterns, XOOMAR’s related coverage includes Police Rip SocGholish Malware From 14,971 WordPress Sites. For operators weighing hosting exposure and maintenance tradeoffs, see Low-Traffic Web Hosting Traps Quietly Drain Budgets.

ShapedPlugin customers should audit recent plugin updates and watch for cleanup guidance

Affected administrators should first verify whether they installed or updated any ShapedPlugin premium product in the exposed set. The strongest indicator named in the source is the presence of hidden fake WooCommerce plugins using woocommerce-subscription or woocommerce-notification.

If those fake plugins are found, BleepingComputer reports that website administrators are recommended to reset all site passwords, regenerate 2FA secrets and review user lists for rogue additions. That advice tracks the malware’s confirmed behavior: it targeted credentials, session data, authentication keys and two-factor secrets.

XOOMAR analysis: because the source confirms remote file-writing capability, cleanup should not stop at removing the visible fake plugin. Admins should compare plugin files against verified clean releases when available, scan for modified PHP files and review suspicious admin activity. These are containment steps tied to the reported backdoor behavior, not confirmation that every affected site shows the same artifacts.

Teams should also preserve backups before cleanup. If credentials were stolen, rotating only the WordPress admin password may be too narrow. The reported targets include database credentials, SMTP/email service credentials and WordPress authentication keys from wp-config.php.

The immediate practical checklist is short:

• Confirm exposure: Check for Product Slider Pro for WooCommerce, Real Testimonials Pro or Smart Post Show Pro in the affected versions.
• Hunt fake plugins: Look for woocommerce-subscription and woocommerce-notification, including plugins hidden from the normal admin list.
• Rotate secrets: Reset WordPress passwords, regenerate 2FA secrets and replace exposed database, SMTP and authentication keys if compromise is suspected.
• Review users: Check for newly created or suspicious administrator accounts.
• Wait for verification: Track ShapedPlugin and Wordfence confirmation that clean releases fully address the issue.

The open issue is whether ShapedPlugin has fully locked down the release path that let malicious Pro builds reach customers. Until that is verified, the watch item is not only which versions are clean, but whether the vendor’s update pipeline can be trusted again.

Impact Analysis

• Attackers abused ShapedPlugin’s trusted commercial update channel, exposing paying customers through official releases.
• The infected plugins installed a fake WooCommerce-themed plugin that could steal credentials and write files remotely.
• The incident highlights supply chain risk in WordPress ecosystems, even when site owners avoid nulled or unofficial plugins.