- Pro versions of three ShapedPlugin WordPress extensions were backdoored after attackers hijacked the official vendor distribution channel.
- The injected malware steals admin credentials, 2FA codes, and e-commerce data, then deletes itself to evade detection.
- The incident underscores a critical supply chain risk where purchasing legitimate software licenses can expose websites to malware.
On June 22, 2026, ShapedPlugin confirmed a major supply chain attack where threat actors compromised and backdoored several of its premium WordPress plugins. According to an analysis by Wordfence, “attackers compromised the vendor’s build and distribution pipeline, injecting backdoor code into Pro plugin releases” distributed through official channels. Consequently, only customers using paid versions downloaded directly from the vendor’s site were affected.
The impacted plugins include Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. This incident has been assigned severe CVEs, including CVE-2026-49777 with a maximum CVSS score of 10.0. However, the free versions hosted on WordPress.org remain safe from this compromise.
The injected malware contacts a command server to fetch a payload that installs as a fake plugin. Consequently, it captures administrator passwords and two-factor authentication codes in plaintext. It also extracts sensitive data like database credentials and recent WooCommerce orders before erasing its own files.
This sophisticated attack establishes multiple persistence methods and drops a web shell for remote command execution. Meanwhile, site owners with infected versions must immediately reset all user passwords and regenerate 2FA secrets. ShapedPlugin is now reviewing its release processes and will issue validated security updates soon.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
