According to data WordPress security company Defiant collected from its Wordfence firewall, the backdoor was injected into ShapedPlugin's Pro builds on May 21.
Timeline recorded by Wordfence and ShapedPlugin's response
Defiant’s Wordfence telemetry shows a rapid arc: the malicious code was introduced on May 21, the first customer reports about potentially malicious updates surfaced on June 10, researchers downloaded infected plugins from ShapedPlugin’s site and confirmed the breach on June 12, and the publisher acknowledged the incident on June 16. ShapedPlugin told Wordfence, “Our team immediately initiated an investigation upon identifying the concern, and we have already implemented the necessary measures to mitigate the issue.” The company said it was preparing updated plugin releases and validating them before pushing them to customers’ update channels.
How the malware was delivered and what it did
According to Wordfence analysis, the attack used a malicious loader file named LicenseLoader.php embedded into ShapedPlugin’s Pro plugin builds. The loader activates when a WordPress administrator accesses the site's admin panel, contacts a command-and-control (C2) server, downloads a second-stage backdoor, installs that backdoor as a fake plugin (reported names: woocommerce-subscription or woocommerce-notification), reports back to the attacker, and then self-deletes to remove traces. The fake plugin is hidden from the WordPress plugin list.
Once installed, the fake plugin attempts to exfiltrate a broad set of sensitive data from infected sites, including WordPress login credentials (usernames, passwords, session cookies, user roles, IP addresses, and browser details); two-factor authentication (2FA) secrets from popular WordPress security plugins; database credentials and WordPress authentication keys from wp-config.php; administrator account details; SMTP/email service credentials; and WooCommerce order data from the past three months, including payment method information.
Scope: which products were affected and which updates fixed it
The compromise affected only three paid ShapedPlugin products: Product Slider Pro (versions before 3.5.4 for WooCommerce), Real Testimonials Pro 3.2.5, and Smart Post Show Pro (versions before 4.0.2). Wordfence reports that fixes were made available on Product Slider Pro in version 3.5.4 and Smart Post Show Pro in version 4.0.2. BleepingComputer contacted ShapedPlugin; the vendor pointed to the release of Real Testimonials Pro version 3.2.6, which lists a single fix described as “Fix: Some WPCS-related warnings,” and said an official statement would be published after Wordfence’s confirmation that the patches addressed the issue.
ShapedPlugin, as a vendor, markets front-end/UI and content display plugins; the company’s free products have a total active installation base of more than 400,000, though the incident as reported involves the paid Pro builds delivered through the vendor’s official update system.
Why investigators believe this was a build-pipeline supply-chain compromise
Wordfence’s analysis points to a build pipeline compromise rather than tampering on WordPress.org or local developer machines. Indicators include file modifications and timestamp patterns consistent with automated injection, and Git build references contained in the malicious packages. Releases hosted on WordPress.org were confirmed to be clean, which suggests the attackers obtained access to ShapedPlugin’s release infrastructure or build pipeline rather than the WordPress.org repository itself. WordPress is tracking the incident under CVE-2026-10735; CVE-2026-49777 was submitted as a duplicate.
The ShapedPlugin incident arrived in quick sequence after a separate supply-chain breach affecting another WordPress product, OptinMonster, which researchers tied to a CDN credential theft. In contrast, investigators in the ShapedPlugin case point to the build pipeline as the likely point of compromise.
What this means for website administrators, security teams, and plugin vendors
- Website administrators: If a fake WooCommerce plugin is found, administrators are recommended to reset all site passwords, regenerate two-factor authentication (2FA) secrets, and review user lists for rogue additions. The malicious component hides from the plugin list and attempts to steal site and payment-related data, so comprehensive remediation is required.
- Security teams: Network and host-based detection should focus on indicators such as a LicenseLoader.php loader, unexpected plugins named like woocommerce-subscription or woocommerce-notification, and connections to unknown C2 hosts initiated when administrators access the admin panel.
- Plugin vendors and build engineers: The pattern of automated timestamped injections and Git build references underscores the risk to CI/CD and release pipelines. Vendors should validate build integrity, review access controls around release infrastructure, and confirm that WordPress.org-hosted releases remain isolated from compromised internal distribution channels.
The record in this incident is specific and narrow: attackers distributed a backdoor through ShapedPlugin’s paid update flow, installed a hidden fake WooCommerce plugin, and sought a wide range of credentials and transaction data. The fixes for two of the three affected products are already published; one vendor update references only a WPCS warning fix while awaiting external confirmation. For site owners and vendors alike, the remaining questions center on how the build pipeline was accessed and whether additional undiscovered packages were touched — answers that the ongoing investigation and Wordfence’s coordination with ShapedPlugin are meant to provide.