← All articles

Hacked WordPress plugin updates push credential-stealing backdoor to paying sites

Attackers compromised the build pipeline of ShapedPlugin, a WordPress plugin maker, and slipped malware into legitimate updates delivered to paying customers through the vendor's own update system. The tainted releases install a fake plugin that impersonates WooCommerce components, steals site credentials, and gives attackers the ability to write files remotely. Three paid plugins are affected: Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. The backdoor was injected into Pro builds on May 21, with the first customer reports on June 10. Versions on WordPress.org stayed clean, pointing to a compromise of the vendor's release infrastructure rather than the plugins themselves.

Check
Check whether your WordPress sites run ShapedPlugin's Product Slider Pro, Real Testimonials Pro, or Smart Post Show Pro, and look for unfamiliar plugins impersonating WooCommerce components and new admin or file-write activity.
Affected
WordPress sites that updated the paid plugins Product Slider Pro (before 3.5.4), Real Testimonials Pro 3.2.5, or Smart Post Show Pro (before 4.0.2) between May 21 and the fix (tracked as CVE-2026-10735).
Fix
Update the affected ShapedPlugin products to fixed versions, remove any rogue WooCommerce-impersonating plugin, rotate all site and admin credentials, and scan the site for web shells and unauthorized file changes.