Several premium WordPress plugins developed by ShapedPlugin have been compromised in a sophisticated supply chain attack. Malicious actors infiltrated the vendor’s build and distribution pipeline, injecting backdoor code into official releases of these plugins. This breach has significant implications for website administrators who rely on these tools for enhanced functionality.
Affected Plugins and Versions
The compromised plugins include:
- Product Slider Pro for WooCommerce (versions prior to 3.5.4)
- Real Testimonials Pro (version 3.2.5)
- Smart Post Show Pro (versions prior to 4.0.2)
It’s important to note that only the Pro versions distributed through ShapedPlugin’s Easy Digital Downloads (EDD) infrastructure were affected. The free versions available on WordPress.org remain unaffected.
Details of the Compromise
The attack involved embedding a loader within the compromised plugin versions. This loader activates on every admin page load, reaching out to a remote server at 194.76.217.28:2871 to fetch and install a malicious payload disguised as a legitimate plugin. Once activated, this rogue plugin performs several malicious activities:
- It reports the compromised domain back to the attacker’s server and then deletes itself to evade detection.
- The fake plugin conceals itself from the WordPress admin plugin list, making it difficult for administrators to identify its presence.
- It captures sensitive information, including plaintext credentials and two-factor authentication (2FA) codes.
- Establishes multiple persistence mechanisms, such as creating a custom REST endpoint that allows arbitrary file writes when provided with a specific authentication token.
- Deploys a web shell capable of executing commands on the server.
Additionally, a PHP file named “install-persistent.php” is used to extract critical data, including:
- Contents of the wp-config.php file, which contains database credentials, authentication keys, and debug settings.
- Details of all administrator accounts, including registration dates.
- SMTP credentials from mail plugins like WP Mail SMTP, Post SMTP, and Easy WP SMTP.
- WooCommerce order data from the past three months, including payment method information.
After extracting this information, the malicious file deletes itself to minimize traces of the attack.
Security Implications and Recommendations
This incident underscores the vulnerabilities inherent in software supply chains. Even when obtaining software from official and trusted sources, users can be exposed to significant risks if the distribution channels are compromised. The severity of this attack is highlighted by the assignment of CVE-2026-10735 with a CVSS score of 9.8, indicating a critical security flaw.
ShapedPlugin has acknowledged the breach and is currently reviewing its distribution and release processes to prevent future incidents. They plan to release new, secure versions of the affected plugins following comprehensive security assessments.
Website administrators who have installed the compromised plugin versions should take immediate action:
- Reset all passwords associated with the website.
- Revoke and regenerate 2FA secrets for all users.
- Review administrator accounts for any unauthorized additions or changes.
- Examine mail plugin configurations for any alterations to SMTP credentials.
In light of this event, it’s crucial for website owners to remain vigilant about the security of their plugins and themes. Regularly updating software, monitoring for unusual activity, and implementing robust security practices can help mitigate the risks associated with such supply chain attacks.
