Ethical Hacking News
A devastating supply chain attack on ShapedPlugin WordPress Pro Plugins has left numerous site owners vulnerable to malware. The attackers managed to infiltrate the vendor's build and distribution pipeline, injecting malicious code into the plugins through Easy Digital Downloads (EDD) infrastructure via account.shapedplugin[.]com. The compromised plugins were Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro, with versions before 3.5.4, version 3.2.5, and versions before 4.0.2 being particularly vulnerable to the attack. This breach highlights the importance of staying vigilant in cybersecurity practices and ensuring the integrity of software updates.
ShapedPlugin's Pro Plugins were compromised through a supply chain attack involving malicious code injected into the official release channels.The attackers targeted plugins such as Product Slider Pro, Real Testimonials Pro, and Smart Post Show Pro, with versions before 3.5.4, version 3.2.5, and versions before 4.0.2 being particularly vulnerable.The compromised plugins installed malware that reported back to a remote server, erasing itself in an effort to cover up tracks.The malware captured credentials in plaintext and used persistence methods to extract sensitive data from compromised sites.ShapedPlugin has confirmed the incident and plans to review its distribution and release processes to ensure product integrity.Affected site owners are advised to take immediate action to mitigate damage, including resetting passwords, revoking 2FA secrets, and reviewing administrator accounts.
ShapedPlugin, a prominent provider of WordPress plugins, has recently fallen victim to a devastating supply chain attack that has left its customers and the broader cybersecurity community reeling. The attack, which was first discovered by Wordfence, a leading cybersecurity company, involved the compromise of multiple ShapedPlugin WordPress Pro Plugins through tampering with the official release channels.
In essence, the attackers managed to infiltrate the vendor's build and distribution pipeline, injecting malicious code into the Pro plugin releases that were distributed through Easy Digital Downloads (EDD) infrastructure via account.shapedplugin[.]com. This malicious code was embedded in the Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro plugins, with versions before 3.5.4, version 3.2.5, and versions before 4.0.2 being particularly vulnerable to the attack.
The severity of this breach cannot be overstated, as it exposed numerous site owners who purchased legitimate licenses and installed updates directly from ShapedPlugin's official update system to malware. The compromised plugins incorporated a loader that triggered on every admin page, fetching a payload from a remote server ("194.76.217[.]28:2871"), installing it, and activating it as a fake plugin.
Upon activation, the malware reported back to the server, erasing itself in an effort to cover up tracks and complicate incident response efforts. The counterfeit plugin was capable of capturing credentials in plaintext and two-factor authentication (2FA) codes and established multiple persistence methods that enabled arbitrary file writes via a custom REST endpoint when provided with a specific authentication token.
Moreover, it also dropped a web shell with command execution features and utilized a PHP file named "install-persistent.php" to extract sensitive data from the compromised sites. This data included full contents of wp-config.php, including database credentials, authentication keys, and debug settings; all administrator accounts with registration dates; mail plugin credentials from WP Mail SMTP, Post SMTP, and Easy WP SMTP; and WooCommerce order data from the last three months with payment method breakdown.
It is worth noting that the attack could have been a result of a compromise of the build pipeline rather than a direct poisoning of the packages. ShapedPlugin has subsequently confirmed the incident and stated its intention to review the distribution and release processes to ensure the integrity of its products moving forward.
In light of this breach, it is imperative for affected site owners to take immediate action to mitigate potential damage. This includes resetting all passwords, revoking and regenerating 2FA secrets for all users, reviewing administrator accounts for unauthorized additions, and checking mail plugin configurations for modified SMTP credentials.
Furthermore, new versions of the impacted plugins are expected to be released pending comprehensive security reviews and validation tests. It is also essential for individuals to remain vigilant in their cybersecurity practices and stay informed about any emerging threats or vulnerabilities that may impact their sites.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Global-Supply-Chain-Breach-ShapedPlugin-WordPress-Pro-Plugins-Compromised-in-Massive-Malware-Attack-ehn.shtml
https://thehackernews.com/2026/06/shapedplugin-wordpress-pro-plugins.html
Published: Mon Jun 22 13:15:57 2026 by llama3.2 3B Q4_K_M
