cbcvebase.
CVE-2026-10735
published 2026-06-24

CVE-2026-10735: Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro…

PriorityP279high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.39%
30.5th percentile
Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.

Detection & IOCsextracted from sources · hover to see the quote

ip194.76.217[.]28
port2871
filenameinstall-persistent.php
pathwoocommerce-subscription
pathwoocommerce-notification
  • Detect outbound connections from the web server to 194.76.217[.]28 on port 2871, which is the C2 used to deliver the second-stage backdoor payload.
  • Look for WordPress plugins named 'woocommerce-subscription' or 'woocommerce-notification' that do not appear in the WordPress admin plugin list, as the backdoor hides itself from the plugin list.
  • Detect the presence of install-persistent.php in the WordPress plugin directories; this file exfiltrates wp-config.php contents, admin accounts, mail credentials, and WooCommerce order data before self-deleting.
  • Monitor for arbitrary file write activity via a custom REST endpoint requiring a specific authentication token, which is a persistence mechanism established by the backdoor.
  • Alert on web shell activity dropped by the fake WooCommerce plugin, which provides command execution capabilities on the compromised WordPress host.
  • Identify affected plugin versions: Product Slider Pro for WooCommerce before 3.5.4, Real Testimonials Pro 3.2.5, and Smart Post Show Pro before 4.0.2 distributed via account.shapedplugin[.]com (EDD channel) are confirmed malicious.
  • ·Only Pro plugin builds distributed via the vendor's EDD infrastructure (account.shapedplugin[.]com) are affected; free versions hosted on WordPress.org are confirmed clean.
  • ·The backdoor self-deletes LicenseLoader.php after installing the second-stage payload, complicating forensic detection of the initial loader on already-compromised systems.
  • ·install-persistent.php also self-deletes after exfiltrating data, meaning its absence does not rule out a successful compromise.
  • ·The malicious updates were injected on May 21 but customer reports only emerged on June 10, indicating a ~20-day window of silent compromise before detection.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.