ShapedPlugin Pro Plugins Backdoored via Vendor Build Pipeline

ShapedPlugin's premium WordPress plugins became malware delivery vehicles after unknown attackers compromised the vendor's own build and distribution pipeline, according to The Hacker News. Three Pro plugins were backdoored through official licensed update channels using ShapedPlugin's Easy Digital Downloads infrastructure: Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. Only the Pro versions distributed through the vendor's account portal were affected; free versions on WordPress.org remained unaffected.

The malware loaded on every admin page visit, fetching payloads from a remote server and installing counterfeit plugins. Wordfence, which identified the compromise, found the backdoor could capture administrator credentials and two-factor authentication codes in plaintext, extract the complete wp-config.php file, harvest mail plugin credentials from several SMTP plugins including WP Mail SMTP, Post SMTP, and Easy WP SMTP, and pull three months of WooCommerce order data. The loader also established web shells with command execution capabilities and then erased itself to complicate incident response.

The Product Slider Pro compromise is tracked as CVE-2026-49777 with a CVSS 10.0 score; the broader incident carries CVE-2026-10735 at CVSS 9.8. What gives this attack its edge is the vector: by compromising the vendor's distribution infrastructure rather than the plugins on WordPress.org, attackers reached paid customers through the exact channel those customers trust for updates. ShapedPlugin confirmed the incident and stated it would review its distribution processes, with updated plugin versions awaiting comprehensive security validation.

The reporting does not detail how attackers gained access to ShapedPlugin's build pipeline, how long malicious versions were available, or how many sites received the compromised updates. Sites that installed affected versions need more than a plugin update: Wordfence recommends resetting all passwords, revoking and regenerating 2FA secrets, auditing administrator accounts for unauthorized additions, and checking SMTP configurations for modifications. For any operator distributing premium WordPress plugins outside WordPress.org's infrastructure, this incident is a pointed demonstration that the distribution pipeline itself is an attack surface requiring the same scrutiny as the code it delivers.