CVE-2026-49777 — assigned to the supply-chain compromise of Product Slider Pro for WooCommerce — carries a CVSS score of 10.0, the maximum severity rating, and is one of two public identifiers tied to a recent backdoor campaign that reached licensed ShapedPlugin customers through the vendor’s official update channels.
What Wordfence found in the releases
In an analysis published last week, Wordfence reported that “Attackers compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels.” The compromised Pro builds include a loader that executes on every WordPress admin page and fetches a payload from 194.76.217[.]28:2871. That payload is then installed and activated as a counterfeit plugin.
According to the analysis, once the malicious component activates it reports the victim domain back to the remote server and then erases the installer components to make investigation and remediation harder. The fake plugin hides itself from the WordPress admin plugin list and is capable of capturing plaintext credentials and two-factor authentication (2FA) codes.
Technical capabilities: persistence and data exfiltration
The injected backdoor establishes multiple persistence mechanisms. Those include a custom REST endpoint that permits arbitrary file writes when supplied with a specific authentication token and the ability to drop a web shell providing command execution on compromised hosts. The Pro builds also include a PHP file named install-persistent.php that is used to extract sensitive site data.
install-persistent.php displays — then deletes — a set of high-value artifacts, including the full contents of wp-config.php (database credentials, authentication keys, and debug settings); all administrator accounts with registration dates; SMTP credentials from WP Mail SMTP, Post SMTP, and Easy WP SMTP; and WooCommerce order data from the last three months with a payment-method breakdown.
Scope: which plugins and customers were affected
- Product Slider Pro for WooCommerce — versions before 3.5.4 (CVE-2026-49777, CVSS 10.0)
- Real Testimonials Pro — version 3.2.5
- Smart Post Show Pro — versions before 4.0.2
The compromise only affected Pro plugin builds distributed through the vendor’s Easy Digital Downloads (EDD) infrastructure via account.shapedplugin[.]com. Free versions of these plugins hosted on WordPress.org were not impacted.
Wordfence assigned a second identifier to the overall incident, CVE-2026-10735, with a CVSS score of 9.8, reflecting the broad severity and range of capabilities the backdoor exposed.
Vendor confirmation and remediation steps
ShapedPlugin confirmed the incident after being notified and said it is reviewing its distribution and release processes “to ensure the integrity of its products going forward.” The vendor indicated that new, clean versions of the impacted plugins are expected to be released pending comprehensive security reviews and validation tests.
Wordfence and the advisory recommend that site owners who installed the malicious Pro builds take immediate remediation steps: reset all passwords; revoke and regenerate 2FA secrets for all users; review administrator accounts for unauthorized additions; and check mail plugin configurations for modified SMTP credentials.
What this means for licensed customers, security teams, and procurement
Licensed customers who updated directly from ShapedPlugin’s official update system are the primary victims: legitimate purchasers who relied on vendor-signed updates received backdoored code. Security teams will need to treat affected sites as fully compromised until the extracted wp-config.php contents, admin-account listings, SMTP credentials, and recent WooCommerce order data can be validated and rotated.
Procurement and build-security teams at organizations that purchase third-party plugins should expect a review of supply-chain controls: the incident points to a compromise in a vendor’s build or distribution pipeline rather than an isolated package poisoning, and ShapedPlugin has said it is reviewing those processes as part of its response.
Evidence that the attackers altered the vendor’s build and distribution pipeline — rather than only delivering malicious updates through a third-party mirror or drive-by method — raises specific questions about artifact signing, release validation, and internal access controls at plugin vendors. How ShapedPlugin’s forthcoming validation tests and the promised new versions will address those gaps is central to restoring trust for customers who received updates through account.shapedplugin[.]com.
The immediate facts are stark: high-severity CVEs, a loader that activates on admin pages, remote payload fetching from 194.76.217[.]28:2871, data extraction that reaches into wp-config.php and recent WooCommerce orders, and an erasure tactic meant to obscure forensic traces. For affected site owners, the path is clear — treat credentials and 2FA as compromised, examine admin accounts and SMTP settings, and await vendor-signed, fully validated plugin releases before re-enabling updates.
