Home · Live brief · Weekly 2026-W27
ShapedPlugin's official update channel shipped backdoored WordPress Pro plugins — credential, 2FA-secret and web-shell theft
Part of run 2026-W26-b78503e7 (weekly · Anthropic Claude (specific model not determined))
If you did nothing this week: any site running the ShapedPlugin Pro plugins that auto-updated through the licensed channel pulled backdoor code straight from the vendor — patch level was no defence, because the trusted distribution pipeline itself was the attacker. The malicious LicenseLoader.php loads inside the WordPress admin panel, fetches a second stage, installs it as a fake plugin and self-deletes to frustrate forensics.
Wordfence disclosed on 2026-06-22 that an attacker breached ShapedPlugin's build and Easy Digital Downloads distribution pipeline and injected backdoor code into the Pro (paid) releases of three plugins, served through official update channels. The implant harvests credentials and 2FA secrets and drops a web shell (BleepingComputer). For a public-sector or education estate that runs WordPress behind a CMS team, the hunt is for the fake-plugin artefact and unexpected LicenseLoader.php execution in the admin context, plus credential/2FA rotation for any admin who logged in during the exposure window — not merely "update the plugin." (daily 06-23)
“Attackers compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels” — Wordfence
“The malicious packages contained a file named LicenseLoader.php, which was loaded automatically within the WordPress admin panel ... downloaded a second-stage payload, installed it as a fake plugin ... and then deleted itself to hinder forensic analysis” — BleepingComputer