# Critical Backdoor Discovered in ShapedPlugin WordPress Pro Plugins *Published June 24, 2026* *Source: [https://thehackernews.com/2026/06/shapedplugin-wordpress-pro-plugins.html](https://thehackernews.com/2026/06/shapedplugin-wordpress-pro-plugins.html)* ## Executive Summary Several WordPress Pro plugins from ShapedPlugin were compromised in a supply chain attack, exposing users to serious security risks. The breach involved injecting backdoor code into official releases, affecting only Pro versions and not the free ones. ## Article A significant security breach has been identified in several WordPress plugins developed by ShapedPlugin, resulting from a supply chain attack. Unknown cybercriminals succeeded in infiltrating the company's build and distribution pipeline, injecting malicious backdoor code into Pro plugin releases. This breach affects only the Pro versions of the plugins distributed via the vendor's Easy Digital Downloads infrastructure, leaving the free versions on WordPress.org untouched. The security flaw associated with the Product Slider Pro for WooCommerce plugin has been given the CVE identifier CVE-2026-49777, with a maximum CVSS severity score of 10.0. The entire incident has been assigned the identifier CVE-2026-10735, with a CVSS score of 9.8. The compromised plugins include a loader that activates on every admin page, pulling a payload from a remote server, installing it, and enabling it as a counterfeit plugin. This malware covertly reports the victim domain back to the server and erases itself, complicating response efforts. Additionally, the fake plugin conceals itself from the WordPress admin plugin list and can capture credentials, including two-factor authentication codes, in plaintext. It employs various persistence methods, allowing arbitrary file writes via a custom REST endpoint and the deployment of a web shell with command execution capabilities. A PHP file named 'install-persistent.php' further facilitates data extraction before deleting itself. This attack notably endangers site owners who obtained legitimate licenses and installed updates directly from ShapedPlugin's official update system. ShapedPlugin has acknowledged the breach and is currently reassessing its distribution and release processes to safeguard product integrity. Updated versions of the compromised plugins are anticipated following thorough security reviews and validation tests. Affected site owners are advised to reset all passwords, regenerate two-factor authentication secrets for all users, scrutinize administrator accounts for unauthorized changes, and verify mail plugin configurations for altered SMTP credentials.