A recent supply chain attack has compromised several Pro plugins from ShapedPlugin, allowing unknown threat actors to inject backdoor code into the official releases. This incident highlights vulnerabilities in the vendor’s build and distribution pipeline.
Details of the Compromise
According to an analysis by Wordfence, the attackers managed to tamper with the vendor’s update distribution system, specifically targeting Pro plugin releases distributed through the Easy Digital Downloads (EDD) infrastructure. The affected plugins include:
- Product Slider Pro for WooCommerce (versions before 3.5.4)
- Real Testimonials Pro (version 3.2.5)
- Smart Post Show Pro (versions before 4.0.2)
It is important to note that the free versions of these plugins available on WordPress.org remain unaffected.
Impact of the Attack
The supply chain compromise associated with Product Slider Pro for WooCommerce has been assigned the CVE identifier CVE-2026-49777, which carries a CVSS score of 10.0, indicating maximum severity. The overall incident is also identified by CVE-2026-10735 with a CVSS score of 9.8.
The compromised plugins contain a loader that activates on every admin page, fetching a malicious payload from a remote server. Once activated, the malware can capture sensitive information, such as plaintext credentials and two-factor authentication (2FA) codes, while also establishing persistence methods for further exploitation.
Vendor Response and Recommendations
ShapedPlugin has acknowledged the incident and is currently reviewing its distribution and release processes to enhance product integrity. New versions of the affected plugins are anticipated, pending thorough security reviews.
For site owners who have installed the compromised versions, it is recommended to reset all passwords, revoke and regenerate 2FA secrets, review administrator accounts for unauthorized changes, and check mail plugin configurations for any modifications.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
