Executive Summary
On June 18, 2026, it was publicly disclosed that several ShapedPlugin commercial WordPress plugins were compromised in a supply chain attack. Malicious code was injected into Pro plugin builds distributed via the vendor’s official update system, impacting only paying customers who downloaded or auto-updated from the vendor. The attack resulted in the theft of sensitive data, including WordPress login credentials, two-factor authentication secrets, database credentials, administrator account details, SMTP/email service credentials, and WooCommerce order data. The compromise was traced to the vendor’s build pipeline and update infrastructure, with evidence confirming that releases hosted on WordPress.org remained unaffected. The incident has significant implications for e-commerce operators, digital marketers, and any organization relying on the affected plugins, with potential regulatory and reputational consequences. Remediation steps and technical indicators have been published, and all organizations using ShapedPlugin Pro plugins are urged to take immediate action.
Technical Information
The attack on ShapedPlugin represents a sophisticated supply chain compromise, targeting the update infrastructure for commercial WordPress plugins. The malicious code was introduced into Pro plugin builds distributed through the vendor’s official update system, affecting only paying customers. The initial infection vector was a malicious loader file, LicenseLoader.php, embedded within the compromised plugin packages. This loader activated when a WordPress administrator accessed the admin panel, contacting a command-and-control (C2) server to download a second-stage backdoor. The backdoor was installed as a fake plugin, such as woocommerce-subscription or woocommerce-notification, and was hidden from the standard WordPress plugin list to evade detection.
The second-stage backdoor exfiltrated sensitive information, including WordPress login credentials, session cookies, user roles, IP addresses, browser details, two-factor authentication secrets from popular security plugins, database credentials and authentication keys from wp-config.php, administrator account details, SMTP/email service credentials, and WooCommerce order data from the past three months. The malicious payload also created a hidden administrator account named wp_support_sys, exfiltrated database credentials to the domain cdn-stats-api[.]com, and injected SEO spam into site footers. Persistence mechanisms were implemented to ensure the backdoor and injected files survived standard plugin deactivation and removal, including the creation of unexpected files in /wp-content/plugins/ (such as class-wp-cache-manager.php, init-core-helper.php, and wp-db-update.php) and the modification of .htaccess files with encoded redirects.
The attack is believed to have originated from a compromise of the vendor’s build pipeline and update infrastructure, as all plugin releases hosted on WordPress.org were confirmed to be clean. The compromise occurred at the update-server level, affecting any site with auto-updates enabled for the affected plugins. The attack leveraged trust in the vendor’s update system, requiring no user interaction beyond a standard update.
MITRE ATT&CK techniques observed in this incident include T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain), T1059 (Command and Scripting Interpreter), T1071.001 (Application Layer Protocol: Web Protocols), T1078 (Valid Accounts), T1005 (Data from Local System), T1547.006 (Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder, analogous to plugin-based persistence), and T1496 (Resource Hijacking for SEO spam injection).
No explicit threat actor attribution has been made. The tactics, techniques, and procedures (TTPs) are consistent with financially motivated cybercriminal groups targeting WordPress and e-commerce platforms, but there is no direct technical or pattern-based attribution at this time.
Affected Versions & Timeline
The affected products are Product Slider Pro before version 3.5.4 for WooCommerce, Real Testimonials Pro version 3.2.5, and Smart Post Show Pro before version 4.0.2. The backdoor was injected into ShapedPlugin Pro builds on May 21, 2026. The first customer reports of malicious updates were received on June 10, 2026. Researchers confirmed the breach on June 12, 2026, after downloading infected plugins from the ShapedPlugin site. The publisher acknowledged the incident on June 16, 2026, and public reporting followed on June 18, 2026.
Threat Activity
The threat actors gained access to the vendor’s update infrastructure, injecting malicious code into plugin updates distributed through the standard WordPress update flow. The malicious loader file activated upon administrator login, contacting a C2 server and downloading a second-stage backdoor. This backdoor was installed as a fake plugin, hidden from the plugin list, and designed to exfiltrate sensitive data and maintain persistence. The attackers created a hidden administrator account (wp_support_sys), exfiltrated database credentials to cdn-stats-api[.]com, and injected SEO spam into site footers. Persistence mechanisms included the creation of unexpected files in the plugins directory and modification of .htaccess files. The attack specifically targeted e-commerce sites, sites using two-factor authentication plugins, and those with SMTP/email integrations, maximizing the impact on customer data and site integrity.
Mitigation & Workarounds
Immediate actions for affected organizations include updating to patched plugin versions (Product Slider Pro 3.5.4 or later and Smart Post Show Pro 4.0.2 or later), removing all rogue administrator accounts (specifically wp_support_sys), rotating all credentials (WordPress, database, SMTP, and two-factor authentication secrets), auditing for unexpected files and verifying plugin integrity against known-good backups, disabling auto-updates for ShapedPlugin products until vendor confirmation, monitoring for outbound connections to known C2 domains, and reviewing WooCommerce order data for unauthorized access. It is also recommended to scan for residual malware, audit the entire site for file integrity and suspicious entries, and monitor for vendor patch confirmation.
Indicators of Compromise
The following indicators are provided as a point-in-time reference and should be validated in your environment before enforcement. Indicators may change as threat actor infrastructure evolves.
Type | Indicator | Reported (date) | Source
|
Domain | wordpress[.]org | June 18, 2026 | https://www.bleepingcomputer.com/news/security/shapedplugin-update-flow-hacked-to-infect-wordpress-sites/ |
References
BleepingComputer, June 18, 2026: https://www.bleepingcomputer.com/news/security/shapedplugin-update-flow-hacked-to-infect-wordpress-sites/
Threat-Modeling.com, June 19, 2026: https://threat-modeling.com/shapedplugin-wordpress-update-flow-supply-chain-attack-june-2026/
Wordfence Instagram PSA, June 16, 2026: https://www.instagram.com/p/DZqPQPbASq3/
About Rescana
Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor and assess the security posture of their digital supply chain, including plugin vendors and software providers. Our platform supports rapid identification of supply chain risks, automated evidence collection, and actionable remediation guidance for incidents involving software supply chain compromise.
We are happy to answer questions at ops@rescana.com.
