A major security incident has affected Pro plugins from ShapedPlugin, a popular WordPress plugin developer with more than 400,000 active installations across its free plugins.
The issue was discovered by the Wordfence Threat Intelligence team, which found that attackers had compromised ShapedPlugin’s software distribution process and injected malware into official Pro plugin updates.
Unlike a typical plugin vulnerability, this incident is being described as a supply chain attack. In a supply chain attack, attackers do not target individual websites directly. Instead, they compromise the systems used to build, package, or distribute software. Once those systems are compromised, malicious code can be inserted into legitimate software updates and delivered to customers through trusted channels.
This is what makes supply chain attacks dangerous. Site owners may follow all recommended security practices, purchase legitimate licenses, and install updates from official sources, yet still end up installing malware.
According to Wordfence, the compromise only affected Pro plugins distributed through ShapedPlugin’s paid update infrastructure. Free plugins available through WordPress.org were not affected.
Wordfence confirmed malicious code in several ShapedPlugin Pro products, including:
- Product Slider Pro for WooCommerce
- Real Testimonials Pro
- Smart Post Show Pro
The issue has been assigned CVE-2026-10735 and carries a critical CVSS score of 9.8.
Researchers also linked the incident to CVE-2026-49777, a previously disclosed issue affecting Product Slider Pro versions before 3.5.4.
Wordfence found that compromised plugin packages contained a malicious loader file that executed when an administrator accessed the WordPress dashboard. Once activated, the loader downloaded a second-stage payload from an attacker-controlled server and installed it as a hidden plugin.
The malware provided attackers with several capabilities, including:
- Remote access to compromised websites
- Credential theft
- Data exfiltration
- File uploads and command execution
- Authentication bypass
The malware also attempted to hide itself from the WordPress admin plugin list, making manual detection difficult.
Wordfence found code specifically designed to collect TOTP secrets from popular WordPress security plugins, including Wordfence Login Security, WP 2FA, Really Simple SSL 2FA, and the Two-Factor plugin. With access to both passwords and 2FA secrets, attackers could potentially bypass multi-factor authentication protections and maintain access to compromised websites even after passwords were changed.
Wordfence’s investigation found several indicators suggesting the attackers gained access to ShapedPlugin’s build and release pipeline. Researchers discovered that only a handful of files were modified during a narrow time window in May 2026. The changes appeared highly targeted and consistent with an automated build process rather than manual tampering.
The attackers also selectively targeted Pro plugin releases while leaving WordPress.org versions untouched. This suggests they specifically focused on paid customers, who are often more valuable targets.
According to Wordfence, the attack appears to have remained active between April and June 2026.
ShapedPlugin acknowledged the incident and said it immediately began investigating after receiving reports from researchers. The company stated that it has implemented mitigation measures, reviewed its infrastructure, and is preparing updated plugin releases after completing additional security checks and validation testing.
I think the most concerning part of this incident is not the malware itself. It is the fact that the malware specifically targeted 2FA secrets. The attack shows that attackers are adapting and they are not longer satisfied with stealing passwords alone.
Another important lesson is that many WordPress site owners focus heavily on preventing intrusions but spend very little time on detection. In this case, the malware hid itself, deleted traces of its activity, and could remain unnoticed for long periods. That means security is no longer just about preventing attacks. It is also about quickly detecting when something goes wrong.
It again confirms that using too many plugins isn’t safe, even if you are using plugins from trusted developers. Now they should also evaluate how seriously vendors take security, incident response, infrastructure protection, and release management. A plugin developer’s security practices can directly impact every customer using their software.
If you installed or updated any ShapedPlugin Pro plugin between April and June 2026, you should treat your site as potentially compromised. I recommend taking a malware scan. You should also check for suspicious plugins such as woocommerce-subscription or woocommerce-notification.
Change all WordPress administrator passwords, rotate database credentials and API keys, and reset all 2FA secrets for every user.
If you are unsure whether your WordPress site has been affected or want a professional security review, Techlomedia Internet offers WordPress security audits, malware cleanup, hardening, performance optimization, and ongoing maintenance services. We help businesses secure their websites, identify potential risks, and respond quickly to security incidents before they cause serious damage.
Related Posts
