ShapedPlugin hack infects 400K WordPress sites via updates

Key Takeaways

• Three premium ShapedPlugin products pushed malware via official updates from May 21 to June 16
• The backdoor steals admin credentials, 2FA secrets, database keys, and WooCommerce order data
• Affected sites must reset all passwords and regenerate 2FA seeds, not just update plugins

Three premium WordPress plugins from ShapedPlugin distributed malware to paying customers for nearly a month through the vendor's own update system. Attackers compromised ShapedPlugin's build pipeline and injected a loader that installs a hidden backdoor, steals admin credentials, and exfiltrates two-factor authentication secrets. The breach affects an ecosystem serving over 400,000 active installations.

WordPress security firm Defiant confirmed the breach on June 12 after downloading infected plugins directly from ShapedPlugin's site. The malicious code had been live since May 21. ShapedPlugin acknowledged the incident on June 16 and released patched versions, but the damage window spanned 26 days.

Which plugins were compromised?

Only three paid products were affected. Free versions hosted on WordPress.org remained clean, which points to a targeted breach of ShapedPlugin's premium release infrastructure rather than a broader repository compromise.

• Product Slider Pro for WooCommerce (versions before 3.5.4)
• Real Testimonials Pro version 3.2.5
• Smart Post Show Pro (versions before 4.0.2)

ShapedPlugin distributes premium plugins through Easy Digital Downloads, an ecommerce layer separate from the WordPress.org plugin directory. Attackers appear to have compromised the build pipeline that packages releases before they reach that distribution system.

How does the malware work?

Infected plugin packages contain a file called LicenseLoader.php. When a WordPress admin loads the dashboard, the loader contacts a command-and-control server, downloads a second-stage payload, and installs it as a fake plugin named woocommerce-subscription or woocommerce-notification. It then deletes itself to cover its tracks.

The fake plugin hides from the WordPress plugin list. Once active, it harvests:

• WordPress usernames, passwords, session cookies, user roles, IP addresses, and browser fingerprints
• Two-factor authentication secrets from popular security plugins
• Database credentials and authentication keys from wp-config.php
• SMTP and email service credentials
• WooCommerce order data from the past 90 days, including payment methods

The 2FA theft is the critical detail. Resetting passwords alone does not remediate the breach. Attackers who captured 2FA seeds can regenerate valid tokens and bypass standard recovery procedures.

What should affected site owners do?

Update to the patched versions immediately: Product Slider Pro 3.5.4, Real Testimonials Pro 3.2.6, and Smart Post Show Pro 4.0.2. Then search your plugins directory for woocommerce-subscription or woocommerce-notification. If either exists and you did not install it, your site was infected.

1. Delete the fake WooCommerce plugin from wp-content/plugins.
2. Reset all WordPress user passwords, especially administrators.
3. Regenerate 2FA seeds in every account that uses them.
4. Rotate database credentials in wp-config.php and update your database user.
5. Invalidate WordPress authentication keys and salts (regenerate in wp-config.php).
6. Audit your user list for accounts you do not recognize.
7. Review SMTP settings and rotate email service passwords.

If your site processed payments during the infection window, assume order data was exfiltrated. Notify affected customers per your regulatory obligations.

Why supply chain attacks keep hitting WordPress

This is the second major WordPress supply chain breach in June 2026. Days earlier, OptinMonster suffered a CDN-injection attack after a marketing server flaw exposed CDN credentials. That incident touched over 1.2 million sites. The ShapedPlugin case differs: attackers compromised the build pipeline, not a delivery CDN.

WordPress's plugin ecosystem depends on hundreds of independent vendors. Each maintains its own build and release infrastructure. A single weak link, a CI server with stale credentials, an unpatched release dashboard, grants attackers a multiplier: one breach, thousands of victims.

Community discussion has shifted toward zero-trust practices for plugin updates. Manual code review before applying updates, server-side integrity monitoring, and pinning known-good versions are all on the table. None of these are convenient, but convenience is exactly what attackers exploit.

Timeline of the ShapedPlugin breach

Frequently Asked Questions

Were free ShapedPlugin plugins affected?

No. Only three premium plugins distributed through ShapedPlugin's own update system were compromised. Free versions on WordPress.org remained clean.

Is updating the plugin enough to remove the malware?

No. The backdoor installs as a separate hidden plugin. You must manually delete the fake WooCommerce plugin and rotate all credentials, including 2FA seeds.

How do I check if my site was infected?

Look for a plugin folder named woocommerce-subscription or woocommerce-notification in wp-content/plugins. If present and you did not install it, your site was compromised.

Why does 2FA need to be regenerated?

The malware steals 2FA secrets stored by security plugins. Attackers can generate valid tokens from those seeds even after you reset your password.

What is CVE-2026-10735?

It is the vulnerability identifier assigned to this supply chain compromise, rated 9.8 (critical) on the CVSS scale.

Source: BleepingComputer