Unrated

ShapedPlugin Pro WordPress Plugin Supply-Chain Backdoor

IdentifiersCVE-2026-10735CWE-494

CVE-2026-10735 tracks a supply-chain compromise affecting multiple premium WordPress plugins distributed by ShapedPlugin through the vendor’s official update/distribution infrastructure. According to the provided reporting, malicious code was inserted into paid plugin builds, including Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. The infected packages contained a loader component, reported as LicenseLoader.php or equivalent malicious installer code, which executed when an administrator accessed the WordPress admin interface, contacted attacker-controlled infrastructure, downloaded a second-stage payload, installed it as a fake hidden WooCommerce-related plugin such as woocommerce-subscription or woocommerce-notification, and then removed the initial loader to reduce forensic visibility. The second stage established persistence and exposed attacker functionality including credential theft, theft of WordPress authentication material and wp-config.php secrets, collection of administrator and WooCommerce data, and remote file-write/backdoor capability. The available evidence indicates compromise of ShapedPlugin’s build or release pipeline rather than the public WordPress.org repository, which was reported as unaffected.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in full compromise of affected WordPress sites. The malicious payload can exfiltrate WordPress usernames and passwords, session cookies, user roles, IP and browser metadata, database credentials, WordPress authentication keys, administrator details, SMTP/email credentials, WooCommerce order data, and two-factor authentication secrets from supported security plugins. Reporting also indicates persistence mechanisms such as a hidden fake plugin, arbitrary file-write capability via attacker-controlled functionality, possible deployment of tools such as Tiny File Manager and Adminer, and in some reporting a hardcoded administrator password bypass. In practice, this gives attackers unauthorized administrative access, persistent remote control, data theft, and the ability to modify site content or deploy additional malware.

Mitigation

If you can’t patch tonight, do this now.

Until remediation is complete, disable or isolate affected sites and prevent further plugin updates from the compromised distribution channel. Block known attacker infrastructure and inspect for indicators associated with the fake WooCommerce plugin names, LicenseLoader.php, and related dropped files. Restrict outbound connectivity from WordPress hosts where feasible, monitor for unauthorized REST API endpoints and unexpected file writes, and perform integrity checks on premium plugin packages before deployment. Prefer updates only after vendor validation of clean builds, and maintain independent backups and file integrity monitoring to detect future supply-chain tampering. If compromise is suspected, treat the host as fully compromised and conduct full incident response rather than only removing the visible plugin artifact.

Remediation

Patch, then assume compromise.

Remove all compromised ShapedPlugin Pro plugin builds and replace them with vendor-fixed clean releases. Based on the provided content, fixed versions include Product Slider Pro 3.5.4 or later, Smart Post Show Pro 4.0.2 or later, and Real Testimonials Pro 3.2.6 or later; some reporting references Real Testimonials Pro 3.2.5 and Product Slider Pro 3.5.3 as clean replacement versions, so version validation against the vendor’s final incident guidance is recommended. Administrators should identify and remove malicious fake plugins such as woocommerce-subscription and woocommerce-notification, inspect the filesystem for dropped backdoor files and unauthorized tools, review wp-content and plugin directories for persistence artifacts, and inspect the database and user list for rogue administrator accounts or unauthorized changes. Because credential and secret theft was reported, rotate all WordPress administrator and user passwords, database credentials, SMTP/email credentials, API keys, and WordPress salts/authentication keys, and regenerate all 2FA secrets. Review logs for outbound connections to attacker infrastructure and signs of post-compromise activity, and restore from a known-good backup if integrity cannot be established.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

bleeping computerNews

Jun 18, 2026

ShapedPlugin update flow hacked to infect WordPress sites

A supply-chain compromise affecting ShapedPlugin paid WordPress plugins, where infected official updates delivered a malicious loader and backdoor that installed fake WooCommerce plugins, stole credentials and secrets, and enabled remote file-writing capabilities.

security online infoNews

Jun 16, 2026

ShapedPlugin Supply Chain Attack: CVE-2026-10735 Alert

A critical supply-chain backdoor compromise affecting premium ShapedPlugin WordPress plugin releases distributed through official channels.

wpscan vulnNews

Apr 13, 2026

ShapedPlugin Multiple Pro Plugins - Backdoor via Compromised Vendor Update Server | CVE 2026-10735 | Plugin Vulnerabilities

A supply-chain backdoor affecting multiple ShapedPlugin Pro WordPress plugins, delivered via a compromised vendor update server. The malicious updates allowed unauthenticated attackers to deploy a second-stage payload, exfiltrate credentials and sensitive data, and gain full control of affected sites.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-10735

NVD

nvd.nist.gov/vuln/detail/CVE-2026-10735

MITRE CWE · CWE-494

cwe.mitre.org