ctipilot.ch

ShapedPlugin WordPress Pro supply-chain backdoor (build/EDD pipeline compromise)

cve · CVE-2026-10735

Coverage timeline
1
first 2026-06-23 → last 2026-06-23
Briefs
1
1 distinct
Sources cited
5
5 hosts
Sections touched
0
Co-occurring entities
3
see Related entities below

Story timeline

  1. 2026-06-23CTI Daily Brief — 2026-06-23

Source distribution

  • bleepingcomputer.com1 (20%)
  • thehackernews.com1 (20%)
  • wordfence.com1 (20%)
  • blog.gitea.com1 (20%)
  • isc.sans.edu1 (20%)

Related entities

External references

NVD · cve.org · CISA KEV

All cited sources (5)

Items in briefs about ShapedPlugin WordPress Pro supply-chain backdoor (build/EDD pipeline compromise) (1)

ShapedPlugin build pipeline compromised — three Pro WordPress plugins backdoored to steal credentials, 2FA secrets and drop a web shell

From CTI Daily Brief — 2026-06-23 · published 2026-06-23 · view item permalink →

Wordfence disclosed on 2026-06-22 that an attacker breached the build and Easy Digital Downloads (EDD) distribution pipeline of plugin vendor ShapedPlugin and injected backdoor code into the Pro (paid) releases of three products — Product Slider Pro for WooCommerce (before 3.5.4), Real Testimonials Pro (fixed in 3.2.5) and Smart Post Show Pro (before 4.0.2) — tracked as CVE-2026-10735 (Wordfence, 2026-06-22; BleepingComputer, 2026-06-22). The free versions hosted on the WordPress.org repository were not affected — only the licensed Pro updates pushed through EDD between roughly 21 May and 12–16 June carried the injection. The malicious code planted a LicenseLoader.php stub that executes when an administrator loads any wp-admin page; it calls out to a C2, downloads a second-stage payload, installs it as a hidden fake plugin (masquerading as woocommerce-subscription / woocommerce-notification), reports the victim domain, then deletes itself to frustrate forensics (The Hacker News, 2026-06-22). The second stage steals WordPress admin credentials, 2FA TOTP secrets, wp-config.php salts and database credentials, and maintains persistence through hidden REST API endpoints. Timestamp analysis pointed to an automated injection touching only four files inside a two-hour window — consistent with a pipeline-level compromise rather than manual tampering.

Why it matters to us: This is the "trusted update channel" supply-chain pattern again (cf. the W25 OptinMonster strand), and the operational consequence is that patching is not remediation — Wordfence's guidance is to treat any site that installed an affected Pro update as fully compromised. Detection concepts (no IOCs): hunt for a LicenseLoader.php in plugin directories; for installed plugins named woocommerce-subscription / woocommerce-notification that do not appear in the admin plugin list; for php-fpm/apache2/nginx child processes making outbound connections (Sysmon EID 1 with a web-server parent image, or auditd execve on PHP workers); and for wp_users rows with administrator role created after ~21 May. Mapped to T1195.002 Compromise Software Supply Chain, T1505.003 Server Software Component: Web Shell, T1552.001 Unsecured Credentials: Credentials In Files. Remediation: update to the fixed Pro versions, then rotate all WordPress secrets — admin passwords, 2FA, DB credentials and wp-config.php salts — and review the WooCommerce order/SMTP-credential exposure.