CVE-2026-10735: CWE-912 Hidden Functionality in smart-post-show-pro
Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.
AI Analysis
Technical Summary
CVE-2026-10735 concerns multiple WordPress plugins, notably smart-post-show-pro version 4.0.1, which were distributed with malicious code due to a compromised vendor update server. This hidden functionality (CWE-912) enables unauthenticated attackers to deploy a secondary payload that can exfiltrate sensitive information such as credentials and grant full control over the affected WordPress sites. The vulnerability arises from the supply chain compromise rather than a direct flaw in the plugin code itself. No CVSS score or official remediation is currently documented.
Potential Impact
The compromise allows attackers to execute unauthorized code on affected WordPress sites, leading to credential theft, data exfiltration, and complete site takeover. This poses a critical risk to site integrity, confidentiality, and availability. Since the malicious code was distributed through the vendor's update server, all sites running the affected versions that applied updates during the compromise window are at risk.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or update is released, site administrators should consider removing or disabling the affected plugins (e.g., smart-post-show-pro version 4.0.1) and restoring from backups taken before the compromise. Monitoring for signs of compromise and changing credentials is advisable. Follow vendor communications closely for updates.
CVE-2026-10735: CWE-912 Hidden Functionality in smart-post-show-pro
Description
Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.
CVSS v3.1
Score 7.5high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-10735 concerns multiple WordPress plugins, notably smart-post-show-pro version 4.0.1, which were distributed with malicious code due to a compromised vendor update server. This hidden functionality (CWE-912) enables unauthenticated attackers to deploy a secondary payload that can exfiltrate sensitive information such as credentials and grant full control over the affected WordPress sites. The vulnerability arises from the supply chain compromise rather than a direct flaw in the plugin code itself. No CVSS score or official remediation is currently documented.
Potential Impact
The compromise allows attackers to execute unauthorized code on affected WordPress sites, leading to credential theft, data exfiltration, and complete site takeover. This poses a critical risk to site integrity, confidentiality, and availability. Since the malicious code was distributed through the vendor's update server, all sites running the affected versions that applied updates during the compromise window are at risk.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or update is released, site administrators should consider removing or disabling the affected plugins (e.g., smart-post-show-pro version 4.0.1) and restoring from backups taken before the compromise. Monitoring for signs of compromise and changing credentials is advisable. Follow vendor communications closely for updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- WPScan
- Date Reserved
- 2026-06-03T12:46:26.728Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3b7810eed863c81e5f717a
Added to database: 06/24/2026, 06:24:16 UTC
Last enriched: 06/24/2026, 06:55:34 UTC
Last updated: 06/24/2026, 14:13:01 UTC
Views: 238
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.