ShapedPlugin Pro Plugins Backdoored: Check WordPress Sites Now

by Emma Davis
1 minute ago

ShapedPlugin Pro plugin updates were backdoored through official channels. Check for fake WooCommerce plugins, rotate credentials, and install verified clean builds.

WordPress site owners who use paid ShapedPlugin Pro products should treat recent updates as a possible compromise, not as a routine plugin bug. Wordfence said it was notified on June 11, 2026 and later confirmed that attackers had tampered with ShapedPlugin’s build and distribution pipeline, pushing backdoored Pro releases through official licensed update channels.[1] The free WordPress.org-hosted plugin builds were reported clean, but the paid update path is exactly why this case deserves attention: affected customers could have installed malware while following normal update practice.

The incident is tracked as CVE-2026-10735, with a related duplicate CVE noted for Product Slider Pro for WooCommerce. Public reporting names Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro among the affected paid products.[1][2] Version details differ slightly between public advisories, so administrators should not rely only on a single version number. If one of these Pro plugins was installed or updated during the reported exposure window, the site deserves a full compromise check.

What site owners should check first

The malicious update used a loader that ran from the WordPress admin area, contacted a command-and-control server at 194.76.217.28:2871, installed a second-stage fake plugin, reported the victim domain, and then removed the loader to make later forensics harder.[1] The dropped plugin was observed under names such as woocommerce-subscription and woocommerce-notification, deliberately close to legitimate WooCommerce naming, and it hid itself from the normal plugin list.

That second stage is the real risk. Researchers reported credential capture, session-cookie theft, two-factor authentication secret collection, arbitrary file-writing capability, web shell tooling, and data extraction from wp-config.php. BleepingComputer also reported that the malware targeted SMTP credentials and recent WooCommerce order data, including payment method details from the past three months.[3] For a compromised store, this is not a simple plugin update cleanup. It can affect administrator accounts, database credentials, mail delivery accounts, API keys, salts, and customer-order exposure.

Start with a quick file-system and database sweep. Look for wp-content/plugins/woocommerce-subscription/, wp-content/plugins/woocommerce-notification/, install-persistent.php, LicenseLoader.php, unexpected file-manager or Adminer files, suspicious REST endpoints, and WordPress options such as theme_options_scripts or wc_nf_install_done.[1][4] Server logs should also be checked for outbound contact to 194.76.217.28:2871 and for POST traffic to /api.php on that host.

If any indicator is present, assume the site is fully compromised. Remove the fake plugin from a clean maintenance environment, reinstall verified clean copies of the affected ShapedPlugin products, rotate every WordPress administrator password, regenerate 2FA/TOTP secrets, replace WordPress salts, rotate database and SMTP credentials, and review administrator accounts for recent additions. WooCommerce shops should also review order access, payment plugin settings, and any mail provider logs for unusual authentication or forwarding changes.

This incident also fits a broader WordPress supply-chain pattern. HowToFix recently covered the OptinMonster supply-chain backdoor, the Gravity SMTP email-key leak, and the exploited Everest Forms Pro RCE flaw. The shared lesson is practical: for commercial plugins, keep update logs, monitor unexpected plugin directories, and be ready to rotate secrets when a vendor’s distribution channel is touched.

For now, owners of ShapedPlugin Pro products should install only verified clean releases from the vendor account portal after scanning the existing site, not before. Updating an already backdoored WordPress install may remove one vulnerable package while leaving hidden persistence, stolen credentials, and rogue admin accounts behind.

References

  1. Wordfence Threat Intelligence, “PSA: Supply Chain Compromise Targets ShapedPlugin, Backdoored Pro Plugins Distributed via Official Channels”, June 16, 2026.
  2. The Hacker News, “ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack”, June 22, 2026.
  3. BleepingComputer, “ShapedPlugin update flow hacked to infect WordPress sites”, June 18, 2026.
  4. WPScan, “ShapedPlugin Multiple Pro Plugins – Backdoor via Compromised Vendor Update Server”, CVE-2026-10735.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment