Back to Blog

Hackers Hijacked a WordPress Plugin Vendor’s Updates. The Backdoor Installed Itself.

You keep your plugins updated. That’s the advice everyone gives. Keep your software current. Apply patches. Don’t fall behind.

So here’s the uncomfortable question this week: what if the update itself was the attack?

That’s exactly what happened to thousands of WordPress site owners who had paid plugins from ShapedPlugin installed. Sometime around May 21, 2026, attackers quietly compromised ShapedPlugin’s update distribution servers and pushed backdoored code to paying customers through the vendor’s own official update channel.[1] Sites that had automatic updates enabled installed the malware without anyone clicking anything or doing anything wrong. The breach wasn’t discovered until June 10, when customers started reporting strange behavior. ShapedPlugin acknowledged the incident on June 16, nearly four weeks after the initial compromise.[2]

Which Plugins Were Affected

Three paid plugins were compromised: Product Slider Pro for WooCommerce (versions before 3.5.4), Real Testimonials Pro (version 3.2.5), and Smart Post Show Pro (versions before 4.0.2).[1] If those names sound familiar, it’s because they’re exactly the kind of plugins small e-commerce sites and service businesses use all the time. Product galleries, customer testimonials, post displays. Ordinary stuff.

The free versions of ShapedPlugin’s plugins on WordPress.org were not affected. Only customers who purchased the paid versions and downloaded updates through ShapedPlugin’s own licensing platform were exposed. The total active installation base for the affected product family runs well above 200,000 sites.[3]

What the Backdoor Actually Did

This wasn’t a subtle piece of malware. Researchers found that the payload was built for full, persistent takeover.[1]

First, it hid itself. The malicious code removed the compromised plugin from the admin’s plugin list, so there’s nothing visible to click “Deactivate” on. Then it registered a hidden REST API endpoint that accepted arbitrary file writes to the server, which means attackers could plant any file they wanted at any time. To make remote access even easier, it also bundled two open-source GUI tools, Tiny File Manager and Adminer, giving attackers a point-and-click interface to browse and edit files and databases directly through a browser.

Then it installed a webshell. A webshell is a file that accepts commands over a URL, like a remote control for your server. Combined with the REST API backdoor, attackers had multiple ways in, each one functioning as a backup if another got cleaned up.

One of the nastier details: the malware specifically searched for two-factor authentication seed values from common 2FA WordPress plugins.[2] So even if accounts had MFA enabled, attackers were collecting the underlying secrets needed to generate valid codes. Resetting passwords alone wouldn’t fix that.

The CVE assigned to the core vulnerability, CVE-2026-10735, carries a CVSS severity score of 9.8 out of 10. The Product Slider Pro component specifically was assigned CVE-2026-49777 with a perfect 10.0.[3]

Why This Matters for Small Business Sites

Most WordPress attacks target plugin vulnerabilities, where attackers find a bug in a plugin and exploit it. You defend against those by updating your plugins. This attack bypassed that entirely. The malicious code came from the vendor, through the official update mechanism, signed and delivered the same way any legitimate update would be. No phishing link, no suspicious download, no user error.

I’ve talked to plenty of small business owners who assume their WordPress site is low-risk because they’re not a big company. But attackers don’t care about company size. A compromised WordPress site can be used to steal customer payment data, redirect visitors to malware, send spam at scale, or serve as a staging point for attacking other systems. The site’s traffic doesn’t matter. The access does.

Supply chain attacks are particularly hard to defend against because they undermine the one habit you can’t stop doing. Keeping software updated is still the right call. But it’s a reminder that your security is only as strong as the vendors you trust.

What to Do Right Now

If you’re running any of the three affected ShapedPlugin Pro plugins, here’s the priority list.

Update immediately. ShapedPlugin has released patched versions. Product Slider Pro 3.5.4 or later, Smart Post Show Pro 4.0.2 or later. Real Testimonials Pro customers should contact ShapedPlugin directly for remediation guidance if they haven’t already received it.[2]

Delete the rogue admin account. The malware creates a hidden WordPress administrator account named wp_support_sys. If you find it, delete it. Then audit all your administrator accounts for anything unfamiliar.

Reset everything that matters. All WordPress admin passwords, all database passwords, all SMTP credentials in your mail plugins. The malware specifically looked for SMTP settings, so assume those were harvested if your site was infected during the exposure window.

Regenerate 2FA secrets. Because the payload collected TOTP seeds from 2FA plugins, resetting passwords isn’t enough. Every user who had 2FA configured through a WordPress plugin should revoke and regenerate their two-factor setup from scratch.

Check for webshells. If you have hosting access, scan your web root for unfamiliar PHP files, particularly anything that accepts URL parameters and runs commands. Your host’s malware scanner may catch these; worth running one if you haven’t recently.

If you have a backup from before May 21, this is also a good time to verify what your site looked like before the compromise window. That can help you confirm whether you were actually infected and what may have changed.

More broadly, this is a good moment to review which plugins you actually need on your site. The smaller the attack surface, the less there is to target. Plugins you installed two years ago for a feature you stopped using are just risk with no reward.