CVE-2026-10735
published 2026-06-24CVE-2026-10735: Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro…
PriorityP279high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.39%
30.5th percentile
Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect outbound connections from the web server to 194.76.217[.]28 on port 2871, which is the C2 used to deliver the second-stage backdoor payload. ↗
- →Look for WordPress plugins named 'woocommerce-subscription' or 'woocommerce-notification' that do not appear in the WordPress admin plugin list, as the backdoor hides itself from the plugin list. ↗
- →Detect the presence of install-persistent.php in the WordPress plugin directories; this file exfiltrates wp-config.php contents, admin accounts, mail credentials, and WooCommerce order data before self-deleting. ↗
- →Monitor for arbitrary file write activity via a custom REST endpoint requiring a specific authentication token, which is a persistence mechanism established by the backdoor. ↗
- →Alert on web shell activity dropped by the fake WooCommerce plugin, which provides command execution capabilities on the compromised WordPress host. ↗
- →Identify affected plugin versions: Product Slider Pro for WooCommerce before 3.5.4, Real Testimonials Pro 3.2.5, and Smart Post Show Pro before 4.0.2 distributed via account.shapedplugin[.]com (EDD channel) are confirmed malicious. ↗
- ·Only Pro plugin builds distributed via the vendor's EDD infrastructure (account.shapedplugin[.]com) are affected; free versions hosted on WordPress.org are confirmed clean. ↗
- ·The backdoor self-deletes LicenseLoader.php after installing the second-stage payload, complicating forensic detection of the initial loader on already-compromised systems. ↗
- ·install-persistent.php also self-deletes after exfiltrating data, meaning its absence does not rule out a successful compromise. ↗
- ·The malicious updates were injected on May 21 but customer reports only emerged on June 10, indicating a ~20-day window of silent compromise before detection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-s
ghsa_unreviewed·2026-06-24
CVE-2026-10735 [HIGH] Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-s
Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.
VulnCheck
Vulnerability
vulncheck·2026
CVE-2026-10735 Vulnerability
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/blog/2026/06/psa-supply-chain-compromise-targets-shapedplugin-backdoored-pro-plugins-distributed-via-official-channels/
No detection rules found.
No public exploits indexed.
Hackernews
ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack
blogs_hackernews·2026-06-22·CVSS 10.0
CVE-2026-49777 [CRITICAL] ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack after unknown threat actors managed to tamper with the official release channels and push backdoor code.
"Attackers compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels," Wordfence said in an analysis published last week.
The incident affects the following plugins -
Product Slider Pro for WooCommerce (versions before 3.5.4)
Real Testimonials Pro (version 3.2.5)
Bleepingcomputer
ShapedPlugin update flow hacked to infect WordPress sites
blogs_bleepingcomputer·2026-06-18
CVE-2026-10735 ShapedPlugin update flow hacked to infect WordPress sites
## ShapedPlugin update flow hacked to infect WordPress sites
## Bill Toulas
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack that distributed infected releases to paying customers via the vendor's official update system.
The malware delivered this way installed a fake plugin that impersonates WooCommerce components, steals credentials, and grants operators remote file-writing capabilities.
ShapedPlugin is a WordPress plugin vendor specializing in front-end/UI components and content display plugins, with a total active installation base of more than 400,000 for the free products.
The security incident affected only three paid plugins: Product Slider Pro before 3.5.4 for WooCommerce, Real Testimonials Pro 3.2.5, and Smart Post Show Pro before 4.0.2.
2026-06-24
Published
Exploited in the wild