333/69 Friday, June 19, 2026
Security researchers have disclosed a supply chain attack affecting ShapedPlugin’s premium WordPress plugins. Attackers were able to inject malicious code into plugin packages distributed through the vendor’s official update infrastructure, meaning website administrators who installed or updated affected plugins through legitimate channels may have unknowingly received compromised files.
According to the report, three premium plugins were affected: Product Slider Pro for WooCommerce versions prior to 3.5.4, Real Testimonials Pro version 3.2.5, and Smart Post Show Pro versions prior to 4.0.2. The malicious code is triggered when a WordPress administrator accesses the admin dashboard. It then contacts an attacker-controlled command-and-control (C2) server, downloads additional payloads, and installs rogue plugins designed to mimic legitimate WooCommerce components, such as woocommerce-subscription and woocommerce-notification.
These malicious plugins are capable of hiding themselves from the WordPress plugin management interface and are specifically designed to steal sensitive information, including user account credentials, session cookies, data stored in wp-config.php, two-factor authentication (2FA) secrets, administrator account information, SMTP credentials, and certain WooCommerce order data. Website administrators using ShapedPlugin Pro products should immediately verify installed plugin versions, inspect the wp-content/plugins directory for unauthorized plugins, review administrator accounts for suspicious activity, change all passwords and related secrets, and regenerate 2FA credentials, as authentication data may already have been compromised.