ShapedPlugin Supply Chain Compromise & CVE-2026-10735 Malicious Plugin Analysis

PSA: Supply Chain Compromise Targets ShapedPlugin, Backdoored Pro Plugins Distributed via Official Channels Vulnerability Overview The Wordfence Threat Intelligence Team was notified on June 11, 2026, of a potential supply chain vulnerability affecting ShapedPlugin, a WordPress plugin vendor with over 400,000 active free plugin installations. During the investigation, we discovered that attackers had injected malicious code into ShapedPlugin's build and distribution pipelines via official authorized update channels. Impact Scope Affected Software: - Product Slider Pro for WooCommerce - Real Testimonials Pro - Smart Post Show Pro CVE ID: CVE-2026-10735 CVSS Score: 9.8 (Critical) Patch Status: Fixed Remediation The ShapedPlugin team confirmed receipt of the notification and immediately launched an investigation. The team has implemented necessary mitigation measures and is actively analyzing indicators from the report, reviewing distribution and release processes to ensure product and infrastructure integrity. As part of the response, the team is preparing updated plugin versions and conducting comprehensive security checks and validation testing to ensure all affected products are fully resolved before deployment. A new validated version is expected to be released once all checks are completed. Malware Analysis Phase 1: Loader Malicious files included are and the modified . The loader executes on every admin page load, downloading a payload from the C2 server and installing/activating it as a WordPress plugin updater class. It reports victim domains to the C2 and cleans up traces. Phase 2: Payload The payload is installed in . It contains multiple attack tools: - : Main plugin file, hides the plugin from the admin list. - : Persistence layer, REST API backdoor, data exfiltration. - : Tiny File Manager 2.6. - : Adminer 5.2.1. - : URL parameter-based webshell. - : Steals credentials and 2FA keys. - : Backdoor login bypass. Credential Theft and 2FA Key Exfiltration The file hooks into WordPress authentication to capture plaintext credentials. It collects usernames, passwords, user IP addresses, user agents, session cookies, user roles, and capabilities. Special attention is given to stealing TOTP seeds from multiple 2FA plugins. Multiple Backdoor Access Methods REST API Backdoor: The file registers a custom REST endpoint that accepts arbitrary file writes. URL Parameter Webshell: Diagnostics accept commands executed via URL parameters. Bundled Tools: Direct access to Tiny File Manager 2.6 and Adminer 5.2.1. Login Bypass: A hardcoded MD5 hash allows authentication bypass for any valid username. Data Exfiltration When accessed directly, displays an HTML page containing the following information: - Full contents of (database credentials, keys, debug settings). - All administrator accounts (registration dates). - Email plugin credentials from WP Mail SMTP, Post SMTP, Easy WP SMTP, etc. - WooCommerce order data from the past three months, broken down by payment method. Anti-Forensics Techniques such as timestamp spoofing, self-deletion, plugin hiding, and function obfuscation are used to evade detection and complicate incident response. Pipeline Compromise Evidence File Modification Patterns: Analysis of file timestamps shows precise injection patterns. Git Build Artifacts: The Pro plugin ZIP contains composer metadata with git SHA references. SVN Committer Pattern Changes: WordPress.org SVN logs show significant changes in April 2026. Selective Injection: Attackers were able to deploy updates to WordPress.org (free plugins) and the EDD system (Pro plugins) but chose to inject malicious code only into certain Pro builds.

Goal Reached Thanks to every supporter — we hit 100%!

ShapedPlugin Supply Chain Compromise & CVE-2026-10735 Malicious Plugin Analysis

More from this source