WordPress site administrators using premium plugins from ShapedPlugin were exposed to a supply-chain attack that distributed malware through the vendor’s official update mechanism. The breach affected only paid versions of three plugins, leaving free variants and WordPress.org-hosted releases untouched. ShapedPlugin confirmed the incident after security researchers identified the malicious payloads in customer downloads earlier this month.
What happened
On 21 May 2026, attackers compromised ShapedPlugin’s build pipeline, injecting a malicious loader into three premium plugins: Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. The first reports of suspicious updates appeared on 10 June, when customers noticed unusual behavior after installing recent plugin versions. Security firm Defiant, which operates the Wordfence firewall, confirmed the breach on 12 June after downloading and analyzing infected plugin files from ShapedPlugin’s website.
The malware operated in two stages. When a WordPress administrator logged into an infected site, a hidden loader file (LicenseLoader.php) contacted a command-and-control server, downloaded a second-stage backdoor, and installed it as a fake plugin disguised as a WooCommerce component. The backdoor then erased the loader to avoid detection. Once active, it harvested sensitive data, including WordPress credentials, database access keys, SMTP configurations, and WooCommerce order details from the previous three months. The malware also targeted two-factor authentication secrets from popular security plugins and created rogue administrator accounts.
ShapedPlugin acknowledged the breach on 16 June, stating that it had initiated an investigation and implemented measures to contain the issue. The company released patched versions of the affected plugins—Product Slider Pro 3.5.4, Real Testimonials Pro 3.2.6, and Smart Post Show Pro 4.0.2—though it waited for Wordfence to verify the fixes before notifying customers. The incident is now tracked under CVE-2026-10735, with a duplicate entry filed as CVE-2026-49777.
- Compromise window: 21 May – 16 June 2026 (malicious updates distributed)
- Affected plugins: 3 premium plugins (free versions unaffected)
- Active installations: Over 400,000 (free plugins only; paid user count undisclosed)
- Data stolen: Credentials, 2FA secrets, database keys, WooCommerce orders
- CVE assigned: CVE-2026-10735
How the attack unfolded
The attackers gained access to ShapedPlugin’s release infrastructure, allowing them to modify plugin builds before distribution. Unlike a recent breach at OptinMonster—where a misconfigured marketing server exposed CDN credentials—this incident stemmed from a direct compromise of the build pipeline. Evidence includes automated injection patterns, Git build references in the malicious packages, and clean releases on WordPress.org, which uses a separate distribution channel.
The fake plugin installed by the malware remained hidden from the WordPress dashboard, making manual detection difficult. It targeted a broad range of sensitive data, prioritizing credentials that could enable further exploitation, such as persistent access to the site or exfiltration of customer payment details. The attack’s focus on WooCommerce order data suggests a financial motive, though no evidence has emerged linking the breach to specific fraud or ransomware campaigns.
What site owners should do
Administrators who installed updates for the affected plugins between 21 May and 16 June should assume their sites are compromised. Recommended steps include:
- Resetting all WordPress passwords and regenerating authentication keys in wp-config.php
- Reviewing user accounts for unauthorized administrators
- Rotating SMTP and database credentials
- Scanning for the fake plugins (woocommerce-subscription or woocommerce-notification) and removing them
- Updating to the latest patched versions of the affected plugins
ShapedPlugin has not disclosed how the attackers breached its build system, but the incident highlights the risks of supply-chain attacks in the WordPress ecosystem. Even vendors with established security practices can become targets, particularly when attackers exploit automated update mechanisms to distribute malware at scale.
Automated pipeline · Security
Synthesized from 1 industry feed on 18 Jun 2026. First draft failed editor review; a revised version was approved (score 85/100) before publication. Style guide v1.3.
Sources
Decision trail
- Checking for duplicates — Deduped batch of 1 candidates
- Checking for duplicates — Failed no verdict returned
- Checking for duplicates — Deduped batch of 6 candidates
- Checking for duplicates — New story No recent article covers this specific ShapedPlugin supply chain attack.
- Writing the article — Draft created article_id=152 slug=shapedplugin-supply-chain-breach-infects-wordpress-sites
-
Editor review — Rejected
- Score: 85/100
- Factual grounding: The draft states the first customer reports surfaced on June 10, 2026, and Defiant confirmed the breach on June 12, 2026. The source confirms these dates, but the draft does not explicitly resolve the relative date 'June 10' from the source publication date (June 18, 2026). While the dates align, the draft should clarify that 'June 10' is not a relative term in the source but an absolute date.
- Style compliance: The body length (720 words) slightly exceeds the 700-word upper limit for the main body (excluding ## Sources). While the additional context is valuable, the draft should be tightened to comply with the 300-700 word range.
- No copied phrasing: The list of stolen data (e.g., 'WordPress login credentials, session cookies, and user roles...') closely mirrors the source phrasing. While the facts are correct, the structure and wording should be further paraphrased to avoid echoing the source.
- Style compliance: The 'Key facts' block includes the phrase 'Active installations: Over 400,000 (free and paid combined)'. The source specifies this refers to the free products only, not the combined total. The draft should clarify this to avoid misrepresentation.
- Writing the article — Rewritten editor-driven rewrite
-
Editor review — Approved
- Score: 85/100
- Factual grounding: The draft states the first reports of suspicious updates appeared on '10 June' and Defiant confirmed the breach on '12 June'. Source 1 states these events occurred on 'June 10' and 'June 12' but does not specify the year. While the reference date is 18 June 2026, the draft should clarify that these dates are in 2026 based on the source publication date (18 June 2026) to avoid ambiguity. This is a minor issue as the context implies 2026.
- Style compliance: The body length (720 words) slightly exceeds the 700-word upper limit. The draft is well-sourced and the extra length is justified by the complexity of the incident, but the writer should aim to tighten the prose to stay within the 300-700 word range. This is a minor issue.
- No copied phrasing: The draft paraphrases effectively but echoes the source's phrasing in the 'How the attack unfolded' section (e.g., 'automated injection patterns, Git build references in the malicious packages'). While the facts are correct, the structure mirrors the source too closely. This is a minor issue.
- Style compliance: The 'Key facts' block includes 'Active installations: Over 400,000 (free plugins only
- paid user count undisclosed)'. Source 1 specifies this number applies to free products only, but the draft could clarify that the 400,000 figure is for free plugins (already noted) and does not include paid users. This is a minor issue.
- Generating reader Q&A — Generated 5 items
- Assigning hero image — Pexels pexels_id=3022215 q=ShapedPlugin headquarters
- Linking related stories — Linked 5 relations from 115 candidates
- Publishing — Published shapedplugin-supply-chain-breach-infects-wordpress-sites
- Mastodon — Posted https://mstdn.social/@hostingpaper/116771676567305888
Discussion · coming soon
Be the first to join the thread when community discussion launches.