ShapedPlugin’s official release pipeline was compromised, allowing attackers to push backdoored Pro versions of Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro through legitimate update channels. The malicious plugins installed a fake plugin, stole credentials and 2FA codes, exfiltrated wp-config.php and WooCommerce data, and used persistence and web shell capabilities to maintain access. #ShapedPlugin #ProductSliderProforWooCommerce #RealTestimonialsPro #SmartPostShowPro #CVE-2026-49777 #CVE-2026-10735
Keypoints
- ShapedPlugin’s build and distribution pipeline was compromised.
- Backdoor code was injected into Pro plugin releases distributed via official licensed updates.
- Affected plugins include Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro.
- The malware installed a fake plugin, hid itself, and stole credentials, 2FA codes, and sensitive site data.
- Site owners should reset passwords, revoke 2FA secrets, and review administrator and SMTP configurations.
Read More: https://thehackernews.com/2026/06/shapedplugin-wordpress-pro-plugins.html