ShapedPlugin WordPress Plugins Hit by Severe Supply Chain Attack

ShapedPlugin has confirmed a major supply chain security compromise affecting its premium WordPress offerings, including Product Slider Pro for WooCommerce and Real Testimonials Pro. Attackers gained unauthorized access to the vendor's distribution pipeline, allowing them to inject malicious code into licensed Pro plugin updates. While free versions available on WordPress.org remain secure, users who purchased and installed updates through the company's official site are potentially at risk of credential theft and system takeover.

The breach, which has been associated with CVE-2026-49777 and CVE-2026-10735, utilized a sophisticated loader mechanism that executes during admin-side operations. This malware reports site information to a remote server and installs persistent backdoors capable of capturing sensitive configuration data, including WordPress admin credentials, database access keys, and WooCommerce payment records. The incident highlights the growing threat posed to the digital ecosystem by compromised third-party vendor build pipelines.

Security researchers advise all affected site owners to immediately perform a thorough security audit, reset all user credentials, and regenerate authentication keys. ShapedPlugin is currently reviewing its internal release processes and working toward providing verified, clean updates for its user base. For Indian web development firms managing multiple WordPress sites, this incident underscores the critical necessity of monitoring vendor update channels and maintaining strict environment segregation to limit the impact of such supply chain attacks.