ShapedPlugin's build pipeline was compromised, allowing attackers to inject a malicious loader (LicenseLoader.php) into three paid WordPress plugins. When an administrator accessed the WordPress admin panel, the loader contacted a command-and-control server to download a backdoor disguised as a fake WooCommerce plugin. This backdoor was hidden from the plugin list and stole WordPress login credentials, 2FA secrets, database credentials, SMTP credentials, and recent WooCommerce order data. The attack was confirmed by Wordfence and tracked under CVE-2026-10735 (with a duplicate CVE-2026-49777). The vendor released fixed versions: Product Slider Pro 3.5.4, Real Testimonials Pro 3.2.6, and Smart Post Show Pro 4.0.2. The compromise appears limited to the vendor's release infrastructure, as WordPress.org hosted releases were clean.

The supply chain compromise allowed attackers to distribute malware to paying customers via official plugin updates. The malware enabled credential theft (including WordPress admin credentials, 2FA secrets, database and email credentials) and remote file-writing capabilities, potentially allowing further site compromise and data exfiltration. WooCommerce order data including payment methods from the past three months was also exposed. This could lead to unauthorized access, data breaches, and site manipulation on affected WordPress installations.

Official patches are available: update Product Slider Pro to version 3.5.4 or later, Real Testimonials Pro to 3.2.6 or later, and Smart Post Show Pro to 4.0.2 or later. The vendor has confirmed investigation and mitigation measures. If infected fake WooCommerce plugins are detected, administrators should reset all WordPress passwords, regenerate two-factor authentication secrets, and review user accounts for unauthorized additions. No further action is required beyond applying these updates and following these recommendations.