ShapedPlugin Supply Chain Attack Exposes WordPress Sites

A dangerous ShapedPlugin supply chain attack is currently threatening WordPress websites. Security researchers at Wordfence discovered this severe compromise on June 11th, 2026. Hackers breached the vendor’s distribution pipeline. Consequently, they injected malicious backdoor code into Pro plugin releases. These tainted updates shipped through official channels. “As with all supply chain compromises, this attack is particularly insidious because affected site owners followed security best practices,” the researchers explained.

Users bought legitimate licenses and installed updates normally. However, this routine action infected their websites. The breach explicitly targets premium builds distributed via Easy Digital Downloads. Fortunately, free versions on the official repository remain completely unaffected. This targeted approach indicates highly sophisticated attackers.

How the Sophisticated Malware Operates

The malware relies on a highly complex infection process. First, the compromised package drops a malicious file called LicenseLoader.php. This script triggers on every administrator page load. Next, it downloads a dangerous payload from a remote server. The payload then installs a fake plugin named woocommerce-subscription. Finally, the initial loader deletes itself. “This self-deleting behavior means the initial infection vector disappears after first execution,” the report stated.

Stealing Credentials and 2FA Secrets

This ShapedPlugin supply chain attack goes beyond simple password theft. The attackers designed the malware to steal two-factor authentication secrets. Specifically, it hunts for TOTP seeds from popular security plugins. Stolen credentials flow to a malicious domain called generate.2faplugin.org. Therefore, attackers can completely bypass multi-factor authentication. Changing passwords alone will not secure your compromised site.

Advanced Backdoor Access Channels

The deployed payload creates multiple persistent access points for hackers. For example, it registers a custom REST API endpoint. This hidden gateway accepts arbitrary file writes from the attackers. Furthermore, the malware bundles powerful database management tools. It installs copies of Tiny File Manager and Adminer. Consequently, criminals gain convenient graphical interfaces to manipulate your sensitive data. The backdoor even features a hardcoded password bypass. Attackers can effortlessly log in as any administrator.

Evidence of Pipeline Tampering

Investigators found clear evidence of a sophisticated build pipeline compromise. Only four specific files were modified during a brief two-hour window. This surgical precision strongly points to an automated injection step. “This confirms the package was built from a private git repository,” researchers concluded. Furthermore, the attacker selectively deployed malware only to paying customers. They likely avoided free versions to evade automated repository scanners. This calculated strategy maximized their financial impact.

Key Vulnerabilities and Affected Versions

Security teams assigned multiple tracking numbers to these vulnerabilities. The primary threat is tracked as CVE-2026-10735. This flaw carries a critical severity score of 9.8. Additionally, researchers identified a related backdoor tracked as CVE-2026-49777. The malicious code specifically impacts multiple premium plugins. For instance, Real Testimonials Pro version 3.2.5 is confirmed compromised. Product Slider Pro and Smart Post Pro also contained dangerous backdoors.

Securing Your WordPress Installation

You must take immediate action if you use these premium plugins. First, scan your entire website using a reliable security scanner. Next, check your plugin folder for any fake WooCommerce subscription directories. Also, review your database for suspicious options. You need to rotate all administrator passwords immediately. In addition, you must revoke and regenerate all 2FA secrets for your users.

Supply chain compromises are rapidly becoming more common across all software platforms. Hackers continuously evolve their tactics to target valuable authentication data. Therefore, website owners must remain vigilant and proactively monitor their systems. Taking swift action is your best defense against these advanced threats.