cbcvebase.
CVE-2026-49777
published 2026-06-05

CVE-2026-49777: Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted…

PriorityP183critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
1.66%
73.6th percentile
Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted. This issue affects Product Slider Pro for WooCommerce: from n/a before 3.5.4.

Affected

1 ranges
VendorProductVersion rangeFixed in
shapedplugin_llcproduct_slider_pro_for_woocommerce>= n/a < 3.5.43.5.4

Detection & IOCsextracted from sources · hover to see the quote

ip194.76.217[.]28:2871
filenameinstall-persistent.php
pathwoocommerce-subscription
pathwoocommerce-notification
domainaccount.shapedplugin[.]com
yara
fofa-query: body="wp-content/plugins/woo-product-slider-pro"
  • The fake backdoor plugin hides itself from the WordPress admin plugin list; enumerate plugins directly on the filesystem (wp-content/plugins/) and compare against the admin UI to detect hidden plugins named woocommerce-subscription or woocommerce-notification.
  • The file install-persistent.php exfiltrates wp-config.php contents, all admin accounts, mail plugin credentials, and WooCommerce order data, then self-deletes; look for transient creation/deletion of install-persistent.php in the plugin directory.
  • The compromise only affects Pro plugin builds distributed via account.shapedplugin[.]com (EDD infrastructure); free WordPress.org versions are clean. Flag any update pulled from account.shapedplugin[.]com for Product Slider Pro < 3.5.4, Real Testimonials Pro 3.2.5, or Smart Post Show Pro < 4.0.2.
  • Backdoor injection timestamps cluster around May 21; use file integrity monitoring to flag modifications to plugin files with timestamps in that window on affected plugin directories.
  • The Nuclei detection template uses a GET request with headers X-Cache-Status: nw9xQmK4 and a base64-encoded arithmetic expression in X-Cache-Key, matching a plaintext numeric sum in the response body with HTTP 200 and content-type text/plain.
  • ·CVE-2026-49777 was submitted as a duplicate of the primary CVE for the entire incident (CVE-2026-10735, CVSS 9.8); CVE-2026-49777 specifically tracks Product Slider Pro for WooCommerce and carries a CVSS score of 10.0.
  • ·The attack vector is a build/distribution pipeline compromise, not a vulnerability in the plugin code itself; standard plugin vulnerability scanning will not detect this — integrity verification of downloaded packages against known-good hashes is required.
  • ·The malware self-deletes LicenseLoader.php and install-persistent.php after execution to hinder forensic analysis; absence of these files does not confirm a clean system if the second-stage fake plugin was already installed.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.