If your business runs WordPress and you pay for plugin licences, the ShapedPlugin supply chain attack is worth reading carefully. Between May and June 2026, three popular premium plugins carried a WordPress plugin backdoor delivered through the vendor’s own official update system. The attack bypassed the usual safety signals: paid licence, reputable vendor, standard update process. None of that protected customers.
Table of Contents
Why This Attack Is Different from a Typical Plugin Vulnerability
Most WordPress security incidents involve a flaw in plugin code. An attacker finds the bug and exploits it remotely. This one is different. The attackers did not find a bug in ShapedPlugin’s software. Instead, they compromised the build and distribution pipeline itself. So every customer who applied a routine update during the infection window unknowingly installed malware delivered by the vendor’s own system.
Security researchers at Wordfence confirmed the breach on 11 June 2026, after customers reported unusual activity. They found backdoored packages still being served through ShapedPlugin’s Easy Digital Downloads update infrastructure as late as 12 June. File modification timestamps pointed to 21 May as the likely injection date. The compromised updates were live for around three weeks.
Which Plugins and Which Users Are at Risk
Only paid, Pro versions were affected. The three compromised plugins are:
- Smart Post Show Pro (version 4.0.1, update to 4.0.2 or later)
- Product Slider for WooCommerce Pro (versions before 3.5.4, update to 3.5.4 or later)
- Real Testimonials Pro: update to the latest available release from ShapedPlugin
Free versions of these plugins on WordPress.org were not touched. So if your site uses only free ShapedPlugin plugins, you are not in scope. But if you have any of the Pro versions and applied updates between April and June 2026, assume your site may be affected.
How the WordPress Plugin Backdoor Worked
The attack ran in two stages. The initial loader activated each time an admin opened the WordPress dashboard. It contacted a remote server and downloaded a second payload. That payload disguised itself as a WooCommerce plugin, and the loader then deleted itself to avoid detection.
The second stage was a credential-harvesting tool. It captured administrator usernames, passwords, and session tokens. Database credentials were also pulled from wp-config.php. Two-factor authentication secrets from popular 2FA plugins were sent to an external server, so attackers could generate valid login codes without a physical device. For WooCommerce stores, the malware collected three months of order records, including customer names, addresses, and payment details.
Beyond credential theft, the malware installed a web shell, a REST API backdoor, and file management software. These left several independent routes back into the site even after the plugin was removed.
The compromise carries CVE-2026-10735 at CVSS 9.8, and CVE-2026-49777 specifically for Product Slider Pro at a maximum CVSS 10.0. Both scores reflect the full site-takeover capability of the payload.
Updating the Plugin Is Not Enough
This is the most important point. Installing the patched version removes the loader. But if the WordPress plugin backdoor’s second stage already ran, it sits independently on your filesystem. Updating the plugin does not touch it. So a site compromised during the exposure window needs a proper incident investigation, not just a plugin update.
The Remediation Checklist
If you installed any affected ShapedPlugin Pro version between April and June 2026, work through this list:
- Run a full malware scan and check specifically for signs of the WordPress plugin backdoor. Look for unexpected plugin files you did not install, particularly anything named woocommerce-subscription or woocommerce-notification.
- Check your admin account list and remove any accounts you do not recognise.
- Reset all WordPress admin passwords and force a re-login for all users.
- Regenerate the authentication keys and salts in wp-config.php. The WordPress secret key generator produces fresh ones.
- Change your database password and update wp-config.php to match.
- Rotate credentials for any SMTP or email service configured in the site. Email plugin credentials are a recurring target, and the risk extends beyond this incident.
- Revoke all two-factor authentication setups for admin accounts and enrol fresh devices. TOTP secrets may have been stolen.
- If you run WooCommerce, review your order history for the period. Consider whether customer notification is needed under your data protection obligations.
What This Tells Us About WordPress Security
Supply chain attacks on WordPress plugins are not unique to ShapedPlugin. They are less common than direct plugin exploits. But when they happen, the usual defensive instincts work against you. Keeping plugins updated, buying from reputable vendors, and using official update channels are sound practices for normal vulnerabilities. Here, though, those same habits delivered the WordPress plugin backdoor.
The practical lesson is that plugin update channels are a trust relationship, and trust relationships can be abused. A proper security review of a WordPress environment checks what plugins are installed, what permissions they hold, and whether their update sources look clean. That kind of review is something an external security assessment would catch. An in-house team running routine updates may not spot it at all.
Subscribe to our newsletter for a weekly round up of what's happening in the cyber security world
