Ethical Hacking News
A critical vulnerability has been discovered in ShapedPlugin Pro plugin updates, leaving hundreds of thousands of WordPress websites vulnerable to malicious attacks. The attackers compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels. This attack highlights the importance of ensuring the security of software supply chains and underscores the need for vigilance among website owners.
Recent devastating software supply chain attack left hundreds of thousands of WordPress websites vulnerable to malicious attacks.A critical vulnerability was discovered in ShapedPlugin Pro plugin updates, allowing attackers to steal credentials and grant full site access.The attackers compromised the vendor's build and distribution pipeline, injecting backdoor code into legitimate licensed updates.The attack runs in two stages, using a loader file to download a payload from an attacker-controlled server.The dropped payload registers a REST API backdoor, bundles Tiny File Manager and Adminer for direct GUI access, and installs a webshell that accepts commands via URL parameters.The malware steals credentials by searching for TOTP seeds from multiple 2FA plugins and sending them to an exfiltration domain.The attack is attributed to AEZA GROUP LLC, tied to Russian-based entities, and demonstrates the evolving threat landscape facing WordPress site owners.Website owners are advised to scan for fake plugins, rotate passwords and credentials, regenerate 2FA secrets, and monitor their websites for suspicious activity.
The world of cybersecurity is constantly evolving, and software supply chain attacks have become an increasingly common threat. Recently, a devastating attack on ShapedPlugin Pro plugin updates has left hundreds of thousands of WordPress websites vulnerable to malicious attacks. In this article, we will delve into the details of this attack, its consequences, and the implications for website owners.
ShapedPlugin is a reputable WordPress software company that develops premium and free plugins for WordPress and WooCommerce websites. Founded in 2015, it offers plugins for carousels, galleries, testimonials, weather widgets, accordions, product displays, team showcases, and other website functions. Its products are used by hundreds of thousands of websites worldwide.
However, in June 2026, a critical vulnerability was discovered in ShapedPlugin Pro plugin updates. Attackers backdoored the plugins, deploying malware that steals credentials, 2FA secrets, and grants full site access. This attack highlights the importance of ensuring the security of software supply chains.
According to Wordfence, a cybersecurity firm, the attackers compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels. This attack is particularly insidious because affected site owners followed security best practices: they purchased legitimate licenses and installed updates directly from the vendor's official update system.
The infection runs in two stages. The first is a loader file called LicenseLoader.php that downloads a payload from an attacker-controlled server, installs it as a fake plugin, reports the victim domain back to the attacker, and then deletes itself. This self-deleting behavior means the initial infection vector disappears after first execution, complicating forensic analysis for site owners who notice the infection later.
The dropped payload disguises itself as WooCommerce-related plugins, using names like “woocommerce-subscription” in the singular form, one letter away from the legitimate plugin name. What that payload does once installed is extensive. It hides itself from the WordPress admin plugin list, registers a REST API backdoor that accepts arbitrary file writes, bundles Tiny File Manager and Adminer for direct GUI access to files and databases, and installs a webshell that accepts commands via URL parameters.
Moreover, the malware steals credentials in a more sophisticated way than typical threats. It specifically searches for TOTP seeds from multiple 2FA plugins. Attackers send the stolen passwords and 2FA to generate.2faplugin.org, a domain that blends in with legitimate two-factor traffic. If an attacker has your password and your TOTP seed, changing your password after discovery doesn’t help.
The forensic evidence points to a CI/CD pipeline compromise rather than someone manually tampering with ZIP files. Only four files were modified on May 21st within a two-hour window, consistent with an automated build step. The compromised package also contains git SHA references confirming it was built from a private repository. The attacker had access to deploy updates to both WordPress.org and the Pro distribution system, but only injected malware into some Pro builds — either because WordPress.org scans for malware or because paying customers are higher-value targets. Possibly both.
The C2 infrastructure is registered to AEZA GROUP LLC, tied to Russian-based entities. The exfiltration domain 2faplugin.org was updated on May 10th, about eleven days before the backdoor was injected into Pro builds. Anyone who installed any ShapedPlugin Pro product between April and June 2026 should scan immediately, check for fake plugins under wp-content/plugins/woocommerce-subscription/ or woocommerce-notification/, rotate all WordPress admin passwords, database credentials, and API keys, and, critically, revoke and regenerate 2FA secrets for every user on the site, since existing TOTP seeds should be considered stolen.
This supply chain attack demonstrates the evolving threat landscape facing WordPress site owners. The attackers did not exploit a vulnerability in the plugin code itself: they compromised the vendor’s build and distribution infrastructure, turning legitimate licensed updates into malware delivery vehicles. The inclusion of 2FA secret exfiltration marks a concerning evolution in WordPress-targeted malware.
In conclusion, this attack highlights the importance of ensuring the security of software supply chains. Website owners should take immediate action to scan for fake plugins, rotate passwords and credentials, and regenerate 2FA secrets. They should also be vigilant about monitoring their websites for suspicious activity and report any issues to the relevant authorities.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Vulnerable-Supply-Chain-How-ShapedPlugins-Backdoor-Exposes-WordPress-Websites-to-Malicious-Attacks-ehn.shtml
https://securityaffairs.com/194059/hacking/shapedplugin-supply-chain-attack-backdoors-pro-plugin-updates.html
Published: Tue Jun 23 04:46:22 2026 by llama3.2 3B Q4_K_M
