CVE-2026-49777
published 2026-06-05CVE-2026-49777: Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted…
PriorityP183critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
1.66%
73.6th percentile
Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted.
This issue affects Product Slider Pro for WooCommerce: from n/a before 3.5.4.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shapedplugin_llc | product_slider_pro_for_woocommerce | >= n/a < 3.5.4 | 3.5.4 |
Detection & IOCsextracted from sources · hover to see the quote
yara
fofa-query: body="wp-content/plugins/woo-product-slider-pro"
- →The fake backdoor plugin hides itself from the WordPress admin plugin list; enumerate plugins directly on the filesystem (wp-content/plugins/) and compare against the admin UI to detect hidden plugins named woocommerce-subscription or woocommerce-notification. ↗
- →The file install-persistent.php exfiltrates wp-config.php contents, all admin accounts, mail plugin credentials, and WooCommerce order data, then self-deletes; look for transient creation/deletion of install-persistent.php in the plugin directory. ↗
- →The compromise only affects Pro plugin builds distributed via account.shapedplugin[.]com (EDD infrastructure); free WordPress.org versions are clean. Flag any update pulled from account.shapedplugin[.]com for Product Slider Pro < 3.5.4, Real Testimonials Pro 3.2.5, or Smart Post Show Pro < 4.0.2. ↗
- →Backdoor injection timestamps cluster around May 21; use file integrity monitoring to flag modifications to plugin files with timestamps in that window on affected plugin directories. ↗
- →The Nuclei detection template uses a GET request with headers X-Cache-Status: nw9xQmK4 and a base64-encoded arithmetic expression in X-Cache-Key, matching a plaintext numeric sum in the response body with HTTP 200 and content-type text/plain.
- ·CVE-2026-49777 was submitted as a duplicate of the primary CVE for the entire incident (CVE-2026-10735, CVSS 9.8); CVE-2026-49777 specifically tracks Product Slider Pro for WooCommerce and carries a CVSS score of 10.0. ↗
- ·The attack vector is a build/distribution pipeline compromise, not a vulnerability in the plugin code itself; standard plugin vulnerability scanning will not detect this — integrity verification of downloaded packages against known-good hashes is required. ↗
- ·The malware self-deletes LicenseLoader.php and install-persistent.php after execution to hinder forensic analysis; absence of these files does not confirm a clean system if the second-stage fake plugin was already installed. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ShapedPlugin Product Slider Pro for WooCommerce Plugin up to 3.5.2 on WordPress improper validation of specified quantity in input (EUVD-2026-34792)
vuldb·2026-06-07·CVSS 10.0
CVE-2026-49777 [CRITICAL] ShapedPlugin Product Slider Pro for WooCommerce Plugin up to 3.5.2 on WordPress improper validation of specified quantity in input (EUVD-2026-34792)
A vulnerability classified as critical has been found in ShapedPlugin Product Slider Pro for WooCommerce Plugin up to 3.5.2 on WordPress. Affected by this vulnerability is an unknown functionality. The manipulation leads to improper validation of specified quantity in input.
This vulnerability is referenced as CVE-2026-49777. Remote exploitation of the attack is possible. No exploit is available.
It is recommended to upgrade the affected component.
GHSA
Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted.
ghsa_unreviewed·2026-06-05
CVE-2026-49777 [CRITICAL] CWE-1284 Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted.
Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted.
This issue affects Product Slider Pro for WooCommerce: from n/a before 3.5.3.
No patched version is available - the vendor has applied a fix to an existing release without publishing a new version. While the patch provided by the vendor is valid, releasing it under the existing version number leaves users unable to reliably determine whether they are running a patched or vulnerable installation. As a result, we treat this as an unpatched version.
VulnCheck
Improper Validation of Specified Quantity in Input
vulncheck·2026·CVSS 10.0
CVE-2026-49777 [CRITICAL] Improper Validation of Specified Quantity in Input
Improper Validation of Specified Quantity in Input
Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted.
This issue affects Product Slider Pro for WooCommerce: from n/a before 3.5.4.
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/woo-product-slider-pro/vulnerability/wordpress-product-slider-pro-for-woocommerce-plugin-3-5-2-backdoor-vulnerability
No detection rules found.
Nuclei
WordPress Product Slider Pro for WooCommerce < 3.5.4 - Supply Chain Backdoor RCE
nuclei·CVSS 10.0
CVE-2026-49777 [CRITICAL] WordPress Product Slider Pro for WooCommerce < 3.5.4 - Supply Chain Backdoor RCE
WordPress Product Slider Pro for WooCommerce < 3.5.4 - Supply Chain Backdoor RCE
Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted. This issue affects Product Slider Pro for WooCommerce: from n/a before 3.5.4.
Template:
id: CVE-2026-49777
info:
name: WordPress Product Slider Pro for WooCommerce < 3.5.4 - Supply Chain Backdoor RCE
author: DhiyaneshDk
severity: critical
description: |
Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted. This issue affects Product Slider Pro for WooCommerce: from n/a before 3.5.4.
impact: |
Attackers can implant malicious software, potentially com
Hackernews
ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack
blogs_hackernews·2026-06-22·CVSS 10.0
CVE-2026-49777 [CRITICAL] ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack after unknown threat actors managed to tamper with the official release channels and push backdoor code.
"Attackers compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels," Wordfence said in an analysis published last week.
The incident affects the following plugins -
Product Slider Pro for WooCommerce (versions before 3.5.4)
Real Testimonials Pro (version 3.2.5)
Bleepingcomputer
ShapedPlugin update flow hacked to infect WordPress sites
blogs_bleepingcomputer·2026-06-18
CVE-2026-10735 ShapedPlugin update flow hacked to infect WordPress sites
## ShapedPlugin update flow hacked to infect WordPress sites
## Bill Toulas
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack that distributed infected releases to paying customers via the vendor's official update system.
The malware delivered this way installed a fake plugin that impersonates WooCommerce components, steals credentials, and grants operators remote file-writing capabilities.
ShapedPlugin is a WordPress plugin vendor specializing in front-end/UI components and content display plugins, with a total active installation base of more than 400,000 for the free products.
The security incident affected only three paid plugins: Product Slider Pro before 3.5.4 for WooCommerce, Real Testimonials Pro 3.2.5, and Smart Post Show Pro before 4.0.2.
2026-06-05
Published
Exploited in the wild