Backdoored ShapedPlugin Pro Updates Exposed WordPress Sites to Full Takeover
A supply-chain compromise of ShapedPlugin’s premium WordPress plugin distribution inserted backdoor code into official paid releases, allowing unauthenticated attackers to fully compromise affected websites. Wordfence said the attackers tampered with the vendor’s update pipeline used for Pro builds distributed via Easy Digital Downloads, while free versions in the WordPress repository were not affected. Confirmed malicious releases included Smart Post Show Pro 4.0.1, Product Slider for WooCommerce Pro 3.5.2, and Real Testimonials Pro 3.2.4, which were later replaced by clean versions 4.0.2, 3.5.3, and 3.2.5; the incident is tracked as CVE-2026-10735 with a reported CVSS 9.8.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
ShapedPlugin acknowledges plugin supply-chain incident
ShapedPlugin acknowledged the compromise affecting its paid WordPress plugin update flow on June 16, 2026. The acknowledgment followed reports of malicious updates distributed through the vendor’s official system and came after infected downloads had been confirmed.
ShapedPlugin premium plugin supply-chain compromise discovered
Wordfence disclosed that a supply-chain compromise affecting ShapedPlugin premium WordPress plugins was discovered on June 11, 2026. Attackers tampered with the vendor’s distribution pipeline and inserted backdoor code into official paid releases, while free repository versions were reportedly unaffected.
CVE-2026-10735 publicly published
The supply-chain backdoor issue affecting multiple ShapedPlugin Pro plugins was publicly published as CVE-2026-10735. The report described malicious plugin builds that enabled full site compromise and identified associated command-and-control and dropper infrastructure.
Forensics identify likely CI/CD compromise window
Wordfence reported forensic evidence that the ShapedPlugin intrusion likely involved a CI/CD pipeline compromise, with only four files modified within a two-hour window on May 21, 2026. Package metadata also indicated the malicious builds came from a private repository rather than the normal release process.
Clean plugin versions released to replace malicious builds
Affected malicious ShapedPlugin Pro releases were later replaced with clean versions: Smart Post Show Pro 4.0.2, Product Slider for WooCommerce Pro 3.5.3, and Real Testimonials Pro 3.2.5. The compromised versions identified were 4.0.1, 3.5.2, and 3.2.4 respectively.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates
securityaffairs.com
Open sourceShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack
thehackernews.com
Open sourceShapedPlugin update flow hacked to infect WordPress sites
bleepingcomputer.com
Open sourceShapedPlugin Supply Chain Attack: CVE-2026-10735 Alert
securityonline.info
Open sourceShapedPlugin Multiple Pro Plugins - Backdoor via Compromised Vendor Update Server | CVE 2026-10735 | Plugin Vulnerabilities
wpscan.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Backdoor RCE Disclosed in WordPress Product Slider Pro for WooCommerce
A critical vulnerability tracked as **CVE-2026-49777** was disclosed in ShapedPlugin's **Product Slider Pro for WooCommerce** WordPress plugin, with reports describing it as a **backdoor** and **supply-chain remote code execution** issue. The flaw was assigned **CWE-1284** and a **CVSS 3.1** score reflecting critical impact (`AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`), indicating that attackers could potentially compromise confidentiality, integrity, and availability without authentication or user interaction. Public reporting shows inconsistent affected-version boundaries, with one source listing versions **before 3.5.3** and another identifying versions **before 3.5.4**, while a Nuclei template pull request labels the issue as **KEV** and ties it to active detection efforts. The CVE record also notes that the vendor said the issue was fixed in an existing release but did not clearly publish a definitive patched version, leaving defenders to verify plugin versions carefully and treat older deployments as potentially exposed until remediation guidance is clarified.
Jun 9, 2026
Backdoored Smart Slider 3 Pro Update Delivered RCE and Persistent Site Compromise
Attackers compromised Nextend’s update infrastructure and used the official Smart Slider 3 Pro update channel to distribute a trojanized `3.5.1.35` release for WordPress and Joomla. The malicious package, available for roughly six hours, preserved normal plugin functionality while embedding a multi-layered malware toolkit that enabled unauthenticated remote command execution, authenticated backdoor access, credential theft, and long-term persistence. Researchers said the incident amounted to a software supply-chain compromise because the malware was pushed through a trusted vendor update mechanism rather than a direct intrusion path. The backdoored update created hidden administrator accounts, planted must-use plugins and theme backdoors, and dropped files designed to resemble legitimate WordPress core components; the Joomla variant similarly installed hidden admin access and backdoors in cache and media directories while stealing site information and credentials. Nextend said only the Pro edition’s `3.5.1.35` version was affected, not the free plugin, and urged administrators to assume full site compromise, upgrade immediately to `3.5.1.36` or revert to `3.5.1.34` or earlier, restore from backups created before the intrusion if possible, reinstall trusted components, rotate credentials, regenerate WordPress salts, scan for malware, and harden administrative access with measures such as MFA and restricted admin exposure.
Apr 10, 2026
Backdoored Essential Plugin WordPress Add-ons Compromised Thousands of Sites
A supply-chain attack hit the **Essential Plugin** WordPress portfolio after the plugin business was reportedly acquired by a new owner who inserted a hidden backdoor into trusted add-ons used by thousands of websites. Researchers said the malicious code was added to `Countdown Timer Ultimate` version `2.6.7` in August 2025 as a PHP deserialization backdoor, then left dormant for about eight months before activating in early April 2026. Once triggered, affected sites contacted `analytics.essentialplugin.com`, received additional payloads, and had malicious code written into `wp-config.php`. The compromise allowed attackers to serve hidden spam links, fake pages, and redirects to Googlebot while remaining largely invisible to site owners. WordPress.org subsequently closed all **31** Essential Plugin entries in the plugin directory and pushed version `2.6.9.1` to remove the phone-home behavior, but reports warned that the update did **not** clean already-compromised `wp-config.php` files. Hosting providers and researchers urged administrators to manually inspect and remove any still-installed malicious plugins and persistence left on their servers, underscoring the risk that plugin ownership changes can turn established WordPress software into a malware distribution channel.
Apr 16, 2026