Supply chain attack hits ShapedPlugin, backdoors WordPress plugins

A supply chain attack has compromised ShapedPlugin’s update pipeline, injecting malicious backdoors into premium WordPress plugins distributed between April and June 2026. Security researchers at Wordfence confirmed the breach after discovering a compromised copy of Real Testimonials Pro 3.2.5 in ShapedPlugin’s official update channel.

How the attack unfolded

The intrusion targeted ShapedPlugin’s build and distribution pipeline, embedding malicious code into Pro plugin releases. Affected products include Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. Free plugins on WordPress.org remained unaffected, suggesting the attackers focused specifically on paid offerings.

What the backdoor does

The malware operates in two stages. First, a loader file downloads a payload from an attacker-controlled server, installs itself as a disguised plugin, reports the infected domain, and then deletes itself. The payload masquerades as legitimate WooCommerce plugins with slight naming variations, such as “woocommerce-subscription.” Once active, it hides from the WordPress admin interface and registers a REST API backdoor allowing arbitrary file writes. It also bundles tools like Tiny File Manager and Adminer for direct file and database access, alongside a hardcoded login bypass using a single MD5 hash to authenticate as any administrator.

Why this matters

Supply chain compromises like this are increasingly common because they exploit trust in legitimate software sources. Even users following security best practices—installing updates directly from official channels—can be exposed. Wordfence researchers emphasize the sophistication of the malware, particularly its targeted theft of two-factor authentication secrets from multiple 2FA plugins, with stolen credentials sent to a domain designed to resemble legitimate services.

---

Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.