ShapedPlugin's official update channel shipped backdoored WordPress Pro plugins — credential, 2FA-secret and web-shell theft

If you did nothing this week: any site running the ShapedPlugin Pro plugins that auto-updated through the licensed channel pulled backdoor code straight from the vendor — patch level was no defence, because the trusted distribution pipeline itself was the attacker. The malicious LicenseLoader.php loads inside the WordPress admin panel, fetches a second stage, installs it as a fake plugin and self-deletes to frustrate forensics.

Wordfence disclosed on 2026-06-22 that an attacker breached ShapedPlugin's build and Easy Digital Downloads distribution pipeline and injected backdoor code into the Pro (paid) releases of three plugins, served through official update channels. The implant harvests credentials and 2FA secrets and drops a web shell (BleepingComputer). For a public-sector or education estate that runs WordPress behind a CMS team, the hunt is for the fake-plugin artefact and unexpected LicenseLoader.php execution in the admin context, plus credential/2FA rotation for any admin who logged in during the exposure window — not merely "update the plugin." (daily 06-23)