When Wordfence reported that the compromised build injected a loader into the Pro plugin releases, the CVE identifier CVE-2026-49777 was assigned a perfect CVSS score of 10.0, flagging the incident as maximum severity. That’s the kind of headline that makes any site admin sit up straight.
Key Takeaways
- Attackers tampered with ShapedPlugin’s official build pipeline, inserting a backdoor into Pro plugin updates.
- The backdoor targets admin pages, fetches a payload from 194.76.217.28:2871, and installs a hidden plugin.
- Exfiltrated data includes wp-config.php, admin accounts, SMTP credentials, and three months of WooCommerce orders.
- Only the paid Pro versions delivered via Easy Digital Downloads are affected; free versions on WordPress.org remain clean.
- ShapedPlugin has pledged to review its distribution process and will release patched versions after thorough security testing.
WordPress Supply Chain Attack Targets ShapedPlugin Pro Plugins
It’s not every day that a supply chain breach lands a malicious loader on a popular WordPress plugin. The attackers compromised the vendor’s build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels, according to Wordfence. That’s how the malicious code slipped past countless site owners who trusted the vendor’s update mechanism.
How the Backdoor Was Inserted
Because the compromise only affected the Pro builds delivered via the vendor’s Easy Digital Downloads (EDD) infrastructure at account.shapedplugin[.]com, the free versions on WordPress.org stayed untouched. The attackers gained access to the build pipeline itself, rather than poisoning the public package repositories. That’s a subtle but dangerous distinction – it means the malicious code was baked into the official releases, not just an opportunistic zip slip.
Scope of the Compromise
We’ve seen the list of affected plugins, and each one carries its own version constraints. The compromised releases include:
- Product Slider Pro for WooCommerce – all versions before 3.5.4
- Real Testimonials Pro – version 3.2.5
- Smart Post Show Pro – all versions before 4.0.2
All three plugins share the same malicious loader, which activates on every admin page. That’s why the attack went unnoticed for weeks – it blended in with normal admin traffic.
Why Those Versions Matter
Because the backdoor was baked into the release process, any site that updated through the official EDD channel before the patches were issued is vulnerable. The fact that the CVE CVE-2026-10735 received a CVSS score of 9.8 underscores the breadth of the issue across the entire incident.
Technical Details of the Loader
When the malicious loader runs, it reaches out to a remote server at 194.76.217.28:2871. It then downloads a payload, installs it as a fake plugin, and immediately hides that plugin from the WordPress admin list. That’s how it stays out of sight while it siphons data.
The counterfeit plugin does more than just hide. It captures plaintext credentials, 2FA codes, and even creates a custom REST endpoint that lets an attacker write arbitrary files if they present a specific authentication token. That’s a multi‑vector persistence mechanism that gives the attacker near‑full control of the compromised site.
One of the more alarming parts is the use of a PHP file named install-persistent.php. When executed, it extracts:
- Full contents of
wp-config.php, including database credentials, authentication keys, and debug settings. - All administrator accounts with registration dates.
- Mail plugin credentials from WP Mail SMTP, Post SMTP, and Easy WP SMTP.
- WooCommerce order data from the last three months, complete with payment method breakdown.
Once the data is displayed, the file deletes itself, erasing forensic footprints and making incident response a nightmare.
Response from ShapedPlugin and Wordfence
Wordfence published an analysis last week, stating:
“Attackers compromised the vendor’s build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels,”
and they flagged the CVE identifiers with the highest severity scores. That’s a clear call to action for any site running the affected versions.
ShapedPlugin confirmed the breach, saying they’re reviewing the distribution and release processes to ensure integrity moving forward. They promised new, clean versions of the impacted plugins after comprehensive security reviews and validation tests. That’s a responsible move, but the damage control phase is already in full swing.
Remediation Steps for Site Owners
If you’re running any of the affected Pro plugins, you can’t wait for the patched releases. The recommended steps are:
- Reset all user passwords immediately.
- Revoke and regenerate two‑factor authentication secrets for every user.
- Audit administrator accounts for any unauthorized additions.
- Inspect mail plugin configurations for altered SMTP credentials.
- Replace the compromised plugins with clean copies from the vendor once they’re released.
Because the backdoor can hide itself, you should also scan the file system for unknown plugins and check for the install-persistent.php file. That’s a good way to confirm the loader hasn’t left behind any remnants.
Historical Context of WordPress Supply‑Chain Threats
Supply‑chain compromises have been a recurring concern for the WordPress ecosystem. The platform’s reliance on third‑party extensions creates a large attack surface, and each additional plugin introduces another point where an attacker could insert malicious code. Past incidents have shown that even well‑maintained vendors can fall victim to credential theft or insider abuse. Those lessons highlight why a single breach in a build pipeline can cascade across thousands of sites that trust automatic updates.
When a vendor’s CI/CD environment is infiltrated, the attacker gains the same privileges that the vendor uses to sign and distribute releases. That level of access bypasses many traditional security checks, because the code appears to come from a trusted source. The ShapedPlugin case reinforces the notion that a trusted update channel is only as safe as the processes protecting it.
Technical Architecture of the Malicious Loader
At the heart of the attack lies a small PHP snippet that hooks into WordPress’s admin initialization routine. The snippet registers a callback that fires on every admin page load. During each request, the callback opens a network socket to the hard‑coded IP address and port, then streams the remote payload into a temporary directory.
After the payload lands on the server, the loader writes a new plugin folder under wp-content/plugins. The plugin’s main file is deliberately named to avoid detection by common scanning tools. Immediately after creation, the loader invokes WordPress’s plugin activation API, but it also updates the plugin’s metadata to flag it as “inactive” in the admin UI. That dual action lets the malicious code run while staying invisible to site owners.
Beyond hiding, the loader registers a custom REST route that checks for a secret token supplied in the HTTP request header. If the token matches, the endpoint accepts arbitrary file data and writes it to the web root. This backdoor gives the attacker a persistent foothold, even if the hidden plugin is later removed.
Finally, the install-persistent.php script is scheduled to run once via WordPress’s cron system. Its sole purpose is to dump sensitive configuration files and credentials, then self‑delete. The script outputs the stolen data to the screen, which the attacker can capture through the remote connection, before erasing any trace of its execution.
What This Means For You
For developers and site operators, the incident is a stark reminder that trusting a vendor’s update channel doesn’t guarantee safety. If your business relies on paid plugins, you need a verification step – like hashing the downloaded package against a known good value – before you deploy updates. That’s how you can catch a supply chain tampering before it spreads.
For founders building SaaS platforms on WordPress, the breach highlights the need for a strong third‑party risk program. You should treat each plugin as a potential attack surface, monitor for CVE announcements, and have an incident response plan that includes rapid credential rotation. That’s the only way to keep your customers’ data out of a malicious actor’s hands.
Concrete Scenario 1 – Continuous Integration Pipelines
Imagine your CI pipeline pulls the latest Pro plugin from the vendor’s EDD server before running automated tests. If the pipeline automatically promotes the package to production, the malicious loader silently becomes part of the build. Adding a checksum verification step after the download, and before the build proceeds, would flag the altered package. You could then halt deployment, investigate the discrepancy, and avoid pushing compromised code to live sites.
Concrete Scenario 2 – Managed Hosting Environments
Suppose you run a managed WordPress hosting service that offers one‑click plugin updates for clients. When an affected Pro version arrives, the one‑click updater installs it across dozens of accounts without human oversight. By integrating a security scanner that looks for unknown plugin directories and the presence of install-persistent.php, you could detect the hidden payload early and alert customers before any data is exfiltrated.
Concrete Scenario 3 – Multi‑Site Networks
Consider a WordPress multisite network where a single admin controls dozens of sub‑sites. Updating a single Pro plugin on the network level propagates the code to every sub‑site. If the loader is present, each admin page across the network becomes a beacon for the attacker. Deploying a network‑wide audit that enumerates installed plugins and cross‑checks version numbers against a trusted manifest can surface inconsistencies and prevent a network‑wide compromise.
Key Questions Remaining
- How long did the attackers have undetected access to the build pipeline before the compromise was discovered?
- What specific security controls did the vendor lack that allowed the injection of the malicious loader?
- Will future releases include a signed hash verification mechanism to reassure users of package integrity?
- How will WordPress core respond to this incident in terms of guidance for plugin developers?
- What steps can hosting providers take to automatically quarantine affected plugins pending a clean release?
Sources: The Hacker News, Wordfence
