Backdoor RCE Disclosed in WordPress Product Slider Pro for WooCommerce
A critical vulnerability tracked as CVE-2026-49777 was disclosed in ShapedPlugin's Product Slider Pro for WooCommerce WordPress plugin, with reports describing it as a backdoor and supply-chain remote code execution issue. The flaw was assigned CWE-1284 and a CVSS 3.1 score reflecting critical impact (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating that attackers could potentially compromise confidentiality, integrity, and availability without authentication or user interaction.
Public reporting shows inconsistent affected-version boundaries, with one source listing versions before 3.5.3 and another identifying versions before 3.5.4, while a Nuclei template pull request labels the issue as KEV and ties it to active detection efforts. The CVE record also notes that the vendor said the issue was fixed in an existing release but did not clearly publish a definitive patched version, leaving defenders to verify plugin versions carefully and treat older deployments as potentially exposed until remediation guidance is clarified.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Nuclei template PR references CVE-2026-49777 and version boundary update
On June 9, 2026, a GitHub pull request in the nuclei-templates repository referenced CVE-2026-49777 as a supply chain backdoor RCE in WordPress Product Slider Pro for WooCommerce. The visible content associates the issue with affected versions before 3.5.4, indicating an updated affected-version boundary in public detection content.
CVE-2026-49777 recorded for Product Slider Pro backdoor vulnerability
On June 5, 2026, CVE-2026-49777 was recorded for ShapedPlugin's Product Slider Pro for WooCommerce WordPress plugin. The CVE describes a backdoor-related vulnerability affecting versions before 3.5.3 and assigns CWE-1284 with a critical CVSS 3.1 score.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-49777 - WordPress Product Slider Pro for WooCommerce < 3.5.4 - Supply Chain Backdoor RCE (KEV) by DhiyaneshGeek · Pull Request #16354 · projectdiscovery/nuclei-templates · GitHub
github.com
Open sourceCVE-2026-49777 - WordPress Product Slider Pro for WooCommerce plugin < 3.5.3 - Backdoor vulnerability
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Backdoored ShapedPlugin Pro Updates Exposed WordPress Sites to Full Takeover
A supply-chain compromise of ShapedPlugin’s premium WordPress plugin distribution inserted backdoor code into official paid releases, allowing unauthenticated attackers to fully compromise affected websites. Wordfence said the attackers tampered with the vendor’s update pipeline used for Pro builds distributed via Easy Digital Downloads, while free versions in the WordPress repository were not affected. Confirmed malicious releases included **Smart Post Show Pro** `4.0.1`, **Product Slider for WooCommerce Pro** `3.5.2`, and **Real Testimonials Pro** `3.2.4`, which were later replaced by clean versions `4.0.2`, `3.5.3`, and `3.2.5`; the incident is tracked as **`CVE-2026-10735`** with a reported **CVSS 9.8**.
Jun 23, 2026
Smart Slider 3 File-Read Flaw Exposes WordPress Secrets on 500,000 Sites
A file-read vulnerability in the **Smart Slider 3** WordPress plugin could let authenticated users with only subscriber-level access read arbitrary files from the server, including `wp-config.php`, on more than 500,000 likely unpatched sites. The flaw, tracked as **`CVE-2026-3098`**, affects all versions through **`3.5.1.33`** and stems from missing capability checks and insufficient file validation in the plugin’s AJAX export functionality. Researcher Dmitrii Ignatyev reported the issue, which was validated by Wordfence before developer Nextendweb released a fix in **Smart Slider 3 `3.5.1.34`**. Security reporting said there was no evidence of active exploitation at publication time, but successful attacks could expose database credentials, cryptographic keys, and WordPress salt values, creating a path to broader site compromise.
Mar 31, 2026
Backdoored Smart Slider 3 Pro Update Delivered RCE and Persistent Site Compromise
Attackers compromised Nextend’s update infrastructure and used the official Smart Slider 3 Pro update channel to distribute a trojanized `3.5.1.35` release for WordPress and Joomla. The malicious package, available for roughly six hours, preserved normal plugin functionality while embedding a multi-layered malware toolkit that enabled unauthenticated remote command execution, authenticated backdoor access, credential theft, and long-term persistence. Researchers said the incident amounted to a software supply-chain compromise because the malware was pushed through a trusted vendor update mechanism rather than a direct intrusion path. The backdoored update created hidden administrator accounts, planted must-use plugins and theme backdoors, and dropped files designed to resemble legitimate WordPress core components; the Joomla variant similarly installed hidden admin access and backdoors in cache and media directories while stealing site information and credentials. Nextend said only the Pro edition’s `3.5.1.35` version was affected, not the free plugin, and urged administrators to assume full site compromise, upgrade immediately to `3.5.1.36` or revert to `3.5.1.34` or earlier, restore from backups created before the intrusion if possible, reinstall trusted components, rotate credentials, regenerate WordPress salts, scan for malware, and harden administrative access with measures such as MFA and restricted admin exposure.
Apr 10, 2026