Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: woocommerce (3 articles)Clear

Hacked WordPress plugin updates push credential-stealing backdoor to paying sites

Attackers compromised the build pipeline of ShapedPlugin, a WordPress plugin maker, and slipped malware into legitimate updates delivered to paying customers through the vendor's own update system. The tainted releases install a fake plugin that impersonates WooCommerce components, steals site credentials, and gives attackers the ability to write files remotely. Three paid plugins are affected: Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. The backdoor was injected into Pro builds on May 21, with the first customer reports on June 10. Versions on WordPress.org stayed clean, pointing to a compromise of the vendor's release infrastructure rather than the plugins themselves.

Check
Check whether your WordPress sites run ShapedPlugin's Product Slider Pro, Real Testimonials Pro, or Smart Post Show Pro, and look for unfamiliar plugins impersonating WooCommerce components and new admin or file-write activity.
Affected
WordPress sites that updated the paid plugins Product Slider Pro (before 3.5.4), Real Testimonials Pro 3.2.5, or Smart Post Show Pro (before 4.0.2) between May 21 and the fix (tracked as CVE-2026-10735).
Fix
Update the affected ShapedPlugin products to fixed versions, remove any rogue WooCommerce-impersonating plugin, rotate all site and admin credentials, and scan the site for web shells and unauthorized file changes.

FBI Director Kash Patel's merchandise site (basedapparel.com) infected with WooCommerce ClickFix macOS infostealer; site taken offline

FBI Director Kash Patel's merchandise website basedapparel[.]com was taken offline on Friday after researchers documented a multi-stage WooCommerce compromise that stole payment data and targeted Mac users with a ClickFix attack. The site displayed a fake Cloudflare CAPTCHA prompting visitors to paste a command into their terminal; the macOS-specific shell command then downloaded a script-based infostealer that targets browsers, password vaults, and cryptocurrency wallets before compressing the data, exfiltrating to monterushy[.]com, and deleting itself. Researchers WifiRumHam and 'debbie' analyzed the live campaign on May 21-22; the site went offline on May 22. Similar infections seen across many compromised WooCommerce sites.

Check
Search outbound traffic for connections to monterushy[.]com and similar ClickFix C2 hosts since early May. Inventory WooCommerce sites your organization operates and confirm plugin integrity.
Affected
WooCommerce-powered e-commerce sites with vulnerable or unverified plugins. Mac users who visit compromised storefronts and are prompted to paste shell commands. Brand reputation risk for high-profile site owners.
Fix
Block monterushy[.]com at egress. Audit WooCommerce plugin authenticity via official channels. Train users (especially macOS) to never paste shell commands from a website. Apply EDR rules for ClickFix patterns.

Three WordPress plugins under active exploitation: Funnel Builder, Avada Builder, and Burst Statistics (1.2M+ sites at risk)

Three concurrent WordPress plugin issues are putting millions of sites at risk. Funnel Builder, used on 40,000+ WooCommerce sites, is being actively exploited: an unauthenticated attacker hits an unprotected checkout endpoint, modifies global plugin settings, and injects JavaScript skimmers into checkout pages. Avada Builder, with 1 million installs and bundled with the Avada theme, ships fixes in 3.15.3 for CVE-2026-4782 (CVSS 6.5 arbitrary file read by Subscriber-level users, exposes wp-config.php) and CVE-2026-4798 (CVSS 7.5 unauthenticated time-based blind SQL injection when WooCommerce was used then deactivated). Burst Statistics CVE-2026-8181 is an auth bypass already being exploited on 200,000 sites.

Check
Inventory WordPress sites you operate or manage for clients; check installed versions of Funnel Builder, Avada Builder (and the Avada theme), and Burst Statistics; pull web access logs for the affected checkout and Fusion shortcode endpoints.
Affected
WordPress sites running Funnel Builder before the latest patch, Avada Builder up to 3.15.2 (1M sites bundled with the Avada theme), and Burst Statistics 3.4.0 or 3.4.1 (200K sites). WooCommerce checkout integrations face highest impact.
Fix
Update Avada Builder to 3.15.3 (released May 12), update Burst Statistics to the patched release, apply the Funnel Builder fix, then rotate WordPress salts and database passwords on any site that ran a vulnerable Avada Builder version.