CVE-2026-10735 ShapedPlugin WordPress (CVSS 9.8)

ShapedPlugin, a vendor of WordPress plugins, experienced a supply chain compromise affecting several "Pro" versions of their products. This incident, identified as CVE-2026-10735, involved injecting backdoor code into official plugin releases, which distributed malware to customers. The vulnerability has a CVSS score of 9.8, indicating high severity, and has been actively exploited, threatening affected WordPress installations.

The compromise targeted the build and distribution pipeline for ShapedPlugin's premium (Pro) versions, affecting updates delivered through their official licensed channels. The Pro plugins, updated through the vendor's Easy Digital Downloads (EDD) infrastructure, contained malicious code, unlike the free versions on WordPress.org. This allowed threat actors to establish persistence, steal sensitive data, and gain remote control over compromised WordPress sites.

This attack used trusted update mechanisms to deliver malware, showing how supply chain vulnerabilities pose significant risks in software. It bypasses conventional security checks for publicly available plugins and directly impacts paying customers who rely on vendor integrity. Wordfence's analysis confirmed a complex, multi-stage backdoor, built for stealth and complete data theft.

What is CVE-2026-10735 and what is its impact?

CVE-2026-10735 identifies a critical supply chain compromise affecting multiple Pro plugins from ShapedPlugin for WordPress. This vulnerability allows an attacker who injects backdoor code into official distribution channels to gain full control over a compromised WordPress site. The overall incident has a CVSS score of 9.8, indicating a critical impact due to the extensive capabilities it grants attackers. A related CVE, CVE-2026-49777, with a CVSS score of 10.0, specifically applies to the compromise in the Product Slider Pro for WooCommerce plugin, demonstrating its extreme severity.

The main impact of this compromise is the deployment of a complex backdoor and malware onto victim WordPress installations. Attackers can achieve arbitrary file writes via a custom REST endpoint, set up a persistent web shell with command execution capabilities, and steal highly sensitive data. This data includes database credentials, authentication keys, administrator account details, and e-commerce order information. The ability to capture plaintext credentials and two-factor authentication (2FA) codes further increases the risk, potentially leading to broader organizational compromises beyond the initial WordPress site.

Organizations using the affected ShapedPlugin Pro plugins face severe risk of data breaches, website defacement, and complete system takeover. The malware's stealth, including its ability to hide from the WordPress admin plugin list and self-erase certain components, makes detection and incident response difficult. This type of supply chain attack, where trusted software updates become a malware vector, is a major threat to digital infrastructure, similar to other incidents affecting software development repositories, such as our analysis concerning the Miasma worm Microsoft GitHub compromise.

Exploitation Chain Analysis

The exploitation chain for CVE-2026-10735 begins with a compromise of the ShapedPlugin vendor's build and distribution pipeline. Threat actors injected malicious code directly into the official releases of several Pro plugins. This points to a complex attack on the software supply chain, a common way for serious threats to spread, as discussed in our prior analysis of a WordPress plugin backdoor breach. When a site owner with a legitimate license updated their plugin through the vendor's official Easy Digital Downloads (EDD) infrastructure (account.shapedplugin[.]com), they inadvertently installed the backdoored version.

When the compromised plugin activates, a malicious "loader" component triggers on every administrative page load in WordPress. This loader fetches a secondary payload from a remote command-and-control (C2) server at 194.76.217[.]28:2871. After retrieval, this payload installs and activates as a seemingly legitimate, but fake, plugin. The malware works stealthily, reporting the victim domain back to the C2 server before attempting to erase its initial traces, making incident response and forensic analysis difficult.

The counterfeit plugin establishes multiple strong persistence mechanisms and performs many malicious activities. It achieves arbitrary file writes through a specially crafted custom REST endpoint, requiring a specific authentication token to operate. It also drops a web shell that allows attackers full command execution on the compromised server. This gives direct access for full system control. The malware specifically targets sensitive configuration details and data:

  • It extracts the full contents of wp-config.php, including:
  • Database credentials
  • Authentication keys
  • Debug settings
  • It lists all administrator accounts along with their registration dates.
  • It obtains mail plugin credentials from popular plugins like WP Mail SMTP, Post SMTP, and Easy WP SMTP.
  • It captures WooCommerce order data from the last three months, complete with payment method breakdowns.

This information initially appears via a bundled PHP file named "install-persistent.php" before the file itself is deleted, further hiding the attack. The compromise of the build pipeline, rather than direct package poisoning, shows how complex and indirect this supply chain vulnerability is.

Which products are affected by this compromise?

The compromise associated with CVE-2026-10735 primarily affects specific "Pro" versions of WordPress plugins developed by ShapedPlugin. The free versions of these plugins, distributed via WordPress.org, have not been affected by this particular supply chain attack. The vulnerability is restricted to builds distributed through the vendor's official licensed update channels, specifically via the Easy Digital Downloads (EDD) infrastructure at account.shapedplugin[.]com.

The following ShapedPlugin Pro plugins and their affected versions are identified:

  • Product Slider Pro for WooCommerce: Versions before 3.5.4 are compromised. This specific vulnerability is also assigned CVE-2026-49777, with a CVSS score of 10.0.
  • Real Testimonials Pro: Version 3.2.5 is compromised.
  • Smart Post Show Pro: Versions before 4.0.2 are compromised.

Organizations running these specific Pro plugin versions should consider their environments compromised and initiate immediate incident response procedures. Verification of the plugin source and version is critical for accurate assessment of exposure.

Impact

The impact of the ShapedPlugin supply chain compromise, tracked under CVE-2026-10735 (overall incident) and CVE-2026-49777 (specific to Product Slider Pro for WooCommerce), is critical, with CVSS scores of 9.8 and 10.0. Attackers who successfully exploit this vulnerability can achieve broad control and data theft from compromised WordPress sites. The primary risk is to site owners who purchased legitimate licenses for the Pro versions of the affected plugins and installed updates through the official vendor channels, unknowingly introducing malicious code.

Once established, the malware enables arbitrary file writes via a custom REST endpoint. This allows threat actors to create, modify, or delete any file on the server, potentially leading to website defacement, complete data deletion, or the installation of further malicious software. A core component of the attack is the deployment of a persistent web shell with full command execution features. This gives attackers an interactive interface to run arbitrary operating system commands, giving full administrative control of the underlying server.

The compromise also facilitates full data theft. The malware extracts highly sensitive information, including:

  • Full contents of wp-config.php, which contains critical database credentials, security keys, and potentially other sensitive configuration data.
  • All administrator accounts, including their registration dates, allowing potential account takeover or creation of new backdoored administrative users.
  • Credentials for mail plugins such as WP Mail SMTP, Post SMTP, and Easy WP SMTP, which could be used for spam campaigns, phishing, or other malicious email activities from the compromised server.
  • Recent WooCommerce order data (from the last three months), including payment method breakdowns, directly threatening customer privacy and financial data.

Also, the capability to capture plaintext credentials and two-factor authentication (2FA) codes from the WordPress admin interface means an attacker could escalate privileges or gain access to other systems if users reuse credentials. The stealth mechanisms, such as the malware hiding itself from the WordPress admin plugin list and erasing certain components, make detection and forensic investigation challenging, potentially prolonging attacker presence on affected systems.

Detection

Detecting the ShapedPlugin supply chain compromise (CVE-2026-10735) requires several methods, focusing on network indicators, file system anomalies, and specific logging patterns. Because the malware is stealthy, proactive monitoring and retrospective analysis of logs are essential.

Network Indicators:

  • Outbound connections to 194.76.217[.]28 on port 2871: This IP address and port is the known command-and-control server used by the loader component to fetch the secondary payload. Any outbound connection attempts to this destination from a WordPress host are suspicious.
  • Unusual HTTP/HTTPS requests from the WordPress server, particularly those downloading executable or PHP files, especially after a plugin update.

File System Indicators and Signatures:

  • Presence of install-persistent.php in plugin directories (though this file is designed to be self-deleting after execution, its temporary presence or remnants might be detectable).
  • Presence of a hidden, fake plugin not listed in the standard WordPress admin plugin interface. This might require direct file system examination or database queries to the wp_options table for active_plugins.
  • Unusual or unauthorized file modifications in core WordPress directories, plugin directories, or the wp-content folder, especially PHP files with obfuscated code or remote fetching capabilities.
  • Suspicious file permissions or ownership changes.

Log Signatures and EDR Queries:

  • Web Server Access Logs: Look for unusual POST requests to /wp-json/ endpoints, specifically those that might match the custom REST endpoint used for arbitrary file writes. Monitor for many GET requests to PHP files that are not part of legitimate plugin functions.
  • WordPress Debug Logs: Enable WordPress debugging (WP_DEBUG) and investigate any unusual errors, warnings, or unexpected script executions.
  • PHP Process Logs: Monitor for PHP processes executing unusual commands or making outbound network connections.
  • EDR (Endpoint Detection and Response) Solutions:
  • Query for processes initiated by the web server (e.g., Apache, Nginx) making outbound connections to 194.76.217[.]28:2871.
  • Search for file write operations in sensitive directories (wp-config.php's directory, plugin directories) by unexpected PHP processes.
  • Detect the creation of new PHP files with suspicious content or names, especially those obfuscated or containing base64 encoded strings.
  • Monitor for execution of shell commands (exec, shell_exec, passthru) by the web server user.
  • Database Activity: Look for suspicious modifications to the wp_users table (e.g., new admin users, password changes for existing admins), or changes to wp_options related to active plugins that do not correspond to legitimate actions.

Given the potential for malware to capture mail plugin credentials, monitoring outbound email activity from the WordPress server for signs of spam or phishing campaigns is also advised.

Remediation

Remediating the ShapedPlugin supply chain compromise (CVE-2026-10735) requires a systematic and thorough approach, prioritizing immediate containment and removal of the malware. Simply updating or deleting the affected plugins may not be sufficient due to the malware's persistence mechanisms and data theft capabilities.

  1. Patch to Clean Versions:
  • Contact ShapedPlugin directly to obtain the official, verified, and clean versions of the affected plugins (e.g., Product Slider Pro for WooCommerce 3.5.4 or newer, Real Testimonials Pro version after 3.2.5, Smart Post Show Pro 4.0.2 or newer). The vendor has confirmed the incident and is reviewing distribution processes. Do not rely on previously downloaded packages from potentially compromised channels.
  • Thoroughly remove the backdoored plugin versions from all affected WordPress installations. This involves deleting the plugin files and ensuring no remnants remain.
  • Install the verified clean versions. If verified clean versions are not immediately available, uninstall the affected plugins and keep them uninstalled until a secure update is confirmed by ShapedPlugin.
  1. Immediate Security Actions (Workarounds & Mitigations):
  • Reset All Passwords: Force a password reset for all WordPress users, especially administrators and any users with elevated privileges. Emphasize the use of strong, unique passwords.
  • Revoke and Regenerate 2FA Secrets: For all users using two-factor authentication, revoke existing 2FA secrets and instruct users to regenerate new ones. The malware's ability to capture 2FA codes makes existing secrets potentially compromised.
  • Review Administrator Accounts: Carefully examine all administrator accounts for any unauthorized additions or modifications. Remove any unknown or suspicious administrator users immediately.
  • Check Mail Plugin Configurations: Verify the settings for WP Mail SMTP, Post SMTP, and Easy WP SMTP (or any other mail plugins) to ensure SMTP credentials have not been modified and are not pointing to unknown external servers. Regenerate API keys or passwords for these services.
  • Investigate wp-config.php: Examine the wp-config.php file for any unauthorized modifications to database credentials, authentication keys, or debug settings. Rotate all database credentials and update wp-config.php accordingly. Regenerate WordPress salt keys and update them in wp-config.php.
  • Scan for Web Shells and Backdoors: Perform a full file system scan using reputable security tools to identify any web shells, unknown files, or other persistent backdoors that might have been dropped by the malware. Pay close attention to unexpected PHP files in the wp-content directory or other common web shell locations.
  • Review Server Access Logs: Analyze web server access logs (Apache, Nginx) and PHP error logs for any suspicious activity, especially around the time of the plugin update and subsequent periods. Look for connections to 194.76.217[.]28:2871 or anomalous REST API calls.
  1. Ongoing Monitoring and Hardening:
  • Implement continuous monitoring of network traffic for suspicious outbound connections.
  • Regularly review WordPress logs and server logs for signs of compromise.
  • Apply the principle of least privilege to all WordPress users and file permissions.
  • Ensure all core WordPress files, themes, and plugins are kept up to date from trusted sources.
  • Consider implementing a web application firewall (WAF) to block malicious requests and monitor for anomalous behavior.

The complete remediation process may require a full restoration from a clean backup if the extent of the compromise cannot be fully determined, ensuring that all malicious components are removed.

Technical Takeaways

  • Supply Chain Attack Vector: CVE-2026-10735 is a critical supply chain compromise where threat actors injected backdoor code into official ShapedPlugin Pro plugin releases, distributed via the vendor's licensed update channels.
  • Critical Severity: The overall incident has a CVSS score of 9.8, with CVE-2026-49777 specific to Product Slider Pro for WooCommerce rated 10.0, indicating maximum severity and broad impact potential.
  • Multi-Stage Exploitation: The attack uses a loader to fetch a secondary payload from 194.76.217[.]28:2871, which then installs a stealthy, fake plugin for persistence and malicious operations.
  • Full Data Theft: The malware targets highly sensitive data, including wp-config.php contents (database credentials, authentication keys), all administrator accounts, mail plugin credentials (WP Mail SMTP, Post SMTP, Easy WP SMTP), and recent WooCommerce order data.
  • Persistence and Control: Attackers gain arbitrary file write capabilities via a custom REST endpoint and set up a web shell for full command execution, ensuring persistent access and control over the compromised WordPress site.