X-twitter Facebook-f Pinterest-p
X-twitter Facebook-f Pinterest-p

ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates


ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates

Pierluigi Paganini
June 23, 2026

Attackers backdoored ShapedPlugin Pro updates, deploying malware that steals credentials, 2FA secrets, and grants full site access.

If you installed a ShapedPlugin Pro plugin between April and June 2026 and kept it updated, your site may be compromised. Not because you did something wrong, but because the vendor’s own build and distribution pipeline was breached. Cybersecurity firm Wordfence confirmed the attack on June 12th after obtaining a backdoored copy of Real Testimonials Pro 3.2.5 directly from ShapedPlugin’s official update endpoint.

ShapedPlugin is a WordPress software company that develops premium and free plugins for WordPress and WooCommerce websites. Founded in 2015, it offers plugins for carousels, galleries, testimonials, weather widgets, accordions, product displays, team showcases, and other website functions. Its products are used by hundreds of thousands of websites worldwide.

The WordPress plugin vendor has over 400,000 active free plugin installations

“During our investigation, we discovered that attackers compromised the vendor’s build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels.” reads the report published by Wordfence. “As with all supply chain compromises, this attack is particularly insidious because affected site owners followed security best practices: they purchased legitimate licenses and installed updates directly from the vendor’s official update system. Supply chain compromises are becoming significantly more common in all software, including WordPress software.”

The researchers confirmed that at least three Pro plugins were compromised: Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. Free plugins on WordPress.org were left clean, which was almost certainly deliberate.

The infection runs in two stages. The first is a loader file called LicenseLoader.php that downloads a payload from an attacker-controlled server, installs it as a fake plugin, reports the victim domain back to the attacker, and then deletes itself.

“This self-deleting behavior means the initial infection vector disappears after first execution, complicating forensic analysis for site owners who notice the infection later.” continues the report.

The dropped payload disguises itself as WooCommerce-related plugins, using names like “woocommerce-subscription” in the singular form, one letter away from the legitimate plugin name.

What that payload does once installed is extensive. It hides itself from the WordPress admin plugin list, registers a REST API backdoor that accepts arbitrary file writes, bundles Tiny File Manager and Adminer for direct GUI access to files and databases, and installs a webshell that accepts commands via URL parameters. There’s also a hardcoded login bypass: a single MD5 hash lets the attacker authenticate as any administrator without knowing their password. That’s not a subtle intrusion; that’s a full set of keys.

The malware steals credentials in a more sophisticated way than typical threats.

“What makes this variant particularly concerning is its targeted exfiltration of two-factor authentication secrets. The malware specifically searches for TOTP seeds from multiple 2FA plugins.” continues the report.

Attackers send the stolen passwords and 2FA to generate.2faplugin.org, a domain that blends in with legitimate two-factor traffic. If an attacker has your password and your TOTP seed, changing your password after discovery doesn’t help.

The forensic evidence points to a CI/CD pipeline compromise rather than someone manually tampering with ZIP files. Only four files were modified on May 21st within a two-hour window, consistent with an automated build step. The compromised package also contains git SHA references confirming it was built from a private repository. The attacker had access to deploy updates to both WordPress.org and the Pro distribution system, but only injected malware into some Pro builds — either because WordPress.org scans for malware or because paying customers are higher-value targets. Possibly both.

The C2 infrastructure is registered to AEZA GROUP LLC, tied to Russian-based entities. The exfiltration domain 2faplugin.org was updated on May 10th, about eleven days before the backdoor was injected into Pro builds. Anyone who installed any ShapedPlugin Pro product between April and June 2026 should scan immediately, check for fake plugins under wp-content/plugins/woocommerce-subscription/ or woocommerce-notification/, rotate all WordPress admin passwords, database credentials, and API keys, and, critically, revoke and regenerate 2FA secrets for every user on the site, since existing TOTP seeds should be considered stolen.

“This supply chain attack demonstrates the evolving threat landscape facing WordPress site owners. The attackers did not exploit a vulnerability in the plugin code itself: they compromised the vendor’s build and distribution infrastructure, turning legitimate licensed updates into malware delivery vehicles.” concludes the report. “The inclusion of 2FA secret exfiltration marks a concerning evolution in WordPress-targeted malware.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ShapedPlugin)





Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Apple, Tesla data stolen in India hack

Xsolis Data Breach Impacts 1.4 Million People

ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates

29-Year-Old Squid Bug Leaks User Credentials

Welcome to the Future of WordPress with Gutenberg – Small Biz Talks

Xsolis Data Breach Impacts 1.4 Million People

ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates

29-Year-Old Squid Bug Leaks User Credentials

Resident Evil Veronica revives Code Veronica for a new nightmare in 2027

Xsolis Data Breach Impacts 1.4 Million People

ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates

29-Year-Old Squid Bug Leaks User Credentials

Recent Reviews

Welcome to the Future of WordPress with Gutenberg – Small Biz Talks


Malesuada fames ac turpis egestas integer. Quam nulla porttitor massa id neque aliquam vestibulum morbi blandit. Commodo sed egestas egestas fringilla phasellus faucibus scelerisque. Turpis massa tincidunt dui ut ornare lectus sit amet. Ut consequat semper viverra nam libero justo laoreet sit. Ultrices dui sapien eget mi. At augue eget arcu dictum varius duis at consectetur lorem. Magnis dis parturient montes nascetur ridiculus.

Pharetra pharetra massa massa ultricies mi quis hendrerit. Odio ut sem nulla pharetra diam sit amet. Magnis dis parturient montes nascetur ridiculus. Ac turpis egestas integer eget aliquet nibh praesent tristique. Quis vel eros donec ac odio tempor orci.

Only a quarter of young adults are financially literate. You don’t want to overwhelm them with terrible advice.

Michael Clarck

Eos modus intellegam id. Quo in tollit consectetuer, duo tollit assueverit te. Tale debet et eos. Ei recusabo expetendis per, falli nonumes in vix. Per no latine appellantur, te has amet sint nominavi, albucius suscipit voluptatum has at.

Has epicuri accusamus intellegebat ad, no qui dicat laoreet scribentur, cum natum salutatus cu. Ne quem suas recusabo nam. Cum at dicunt oblique.

Discere veritus detraxit pri ut, sea ei dicunt theophrastus. Eum harum animal debitis cu, viderer vituperatoribus mei ea. Id sed illud facete singulis, reque dolore mediocrem vim ei. Has epicuri accusamus intellegebat ad, no qui dicat laoreet scribentur, cum natum salutatus cu. Ne quem suas recusabo nam. Cum at dicunt oblique. Discere veritus detraxit pri ut, sea ei dicunt theophrastus. Eum harum animal debitis cu, viderer vituperatoribus mei ea. Id sed illud facete singulis, reque dolore mediocrem vim ei.

Gallery Block

Facilisi morbi tempus iaculis urna id volutpat lacus. Magnis dis parturient montes nascetur ridiculus mus mauris vitae ultricies.

Elit duis tristique sollicitudin nibh sit amet commodo nulla. Eget velit aliquet sagittis id consectetur. Elit sed vulputate mi sit amet mauris commodo quis. Eu feugiat pretium nibh ipsum consequat nisl vel pretium lectus. Hac habitasse platea dictumst vestibulum rhoncus est pellentesque elit ullamcorper.

List Block

  • Magna sit amet purus gravida quis
  • Sapien eget mi proin sed libero
  • Commodo odio aenean sed
  • Consectetur a erat nam at lectus
  • Diam volutpat commodo
  • Scelerisque varius morbi amet
  • Non enim praesent elementum
  1. Commodo odio aenean sed
  2. Nulla facilisi etiam dignissim
  3. Aenean et tortor at risus
  4. Cursus turpis massa tincidunt dui
  5. Dolor morbi non arcu risus
  6. Mi eget mauris pharetra et ultrices
  7. Amet nulla facilisi morbi tempus

Columns Block

Cu mea solum dicam, pri no hendrerit instructior, dicunt accommodare cu ius. Nec et ridens viderer, te assum nostro mollis est. Prima omittantur mel cu.

Cu mea solum dicam, pri no hendrerit instructior, dicunt accommodare cu ius. Nec et ridens viderer, te assum nostro mollis est. Prima omittantur mel cu.

Has wisi placerat legendos in, eius lorem consequat in cum eruditi facilis facer.

Has wisi placerat legendos in, eius lorem consequat in cum eruditi facilis facer.

Has wisi placerat legendos in, eius lorem consequat in cum eruditi facilis facer.

Media & Text Block

Quam porttitor massa

Congue quisque egestas diam in arcu cursus euismod quis. Non curabitur gravida arcu ac. Adipiscing commodo elit at imperdiet dui accumsan sit amet nulla. Enim tortor at auctor urna nunc id cursus metus. Leo vel orci porta non pulvinar neque laoreet.

Dignissim sodales ut eu sem integer vitae justo eget. Quisque sagittis purus sit amet volutpat consequat.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Egestas quis ipsum suspendisse ultrices gravida. At consectetur lorem donec massa sapien faucibus.

Pharetra pharetra massa massa ultricies mi quis hendrerit. Odio ut sem nulla pharetra diam sit amet. Magnis dis parturient montes nascetur ridiculus. Ac turpis egestas integer eget aliquet nibh praesent tristique. Quis vel eros donec ac odio tempor orci. Mi bibendum neque egestas congue quisque egestas. A cras semper auctor neque vitae tempus.

Table Block

ID First Name Last Name Profession
1 John Doe Entrepreneur
2 Michael Clarck Web Designer
3 Monica Sherif Author
4 Alex McLaren Analytic

Elit duis tristique sollicitudin nibh sit amet commodo nulla. Eget velit aliquet sagittis id consectetur. Elit sed vulputate mi sit amet mauris commodo quis. Eu feugiat pretium nibh ipsum consequat nisl vel pretium lectus. Hac habitasse platea dictumst vestibulum rhoncus est pellentesque elit ullamcorper. Dignissim sodales ut eu sem integer vitae justo eget.

Cover Image Block

Quisque sagittis purus sit amet volutpat consequat.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Egestas quis ipsum suspendisse ultrices gravida. At consectetur lorem donec massa sapien faucibus. Quisque id diam vel quam elementum pulvinar etiam.

Left Aligned Image

Has wisi placerat legendos in, eu eos eius lorem consequat. In cum eruditi facilis, qui id facer scripserit. Ne vix nulla eirmod iracundia, vix et accusam officiis. Cum nobis munere partem ei.

Nostrud probatus postulant ex mea. An sit iusto maiestatis, eos cu tempor scriptorem. Has sumo facilisis te, pri essent accusam reprimique ut. Ei zril putent comprehensam his.

No sea docendi explicari, inermis iudicabit persequeris in eos, nam in rebum adolescens. No eius eligendi prodesset sit, mei illum debet ridens ad, persius dignissim hendrerit ex cum. Homero vidisse at pro.

Praesent erroribus rationibus at nec, quem graece eam ea. Ut omnes dolorum est, est nobis indoctum in, mea percipit invenire persecuti id. Quo eu aliquam vivendo argumentum. Ius lucilius forensibus complectitur no, modus libris cu eum, an purto detracto libris cu eum, an purto detracto forensibus complectitur.

Dictumst quisque sagittis purus sit amet volutpat consequat. Elit duis tristique sollicitudin nibh sit amet commodo nulla. Eget velit aliquet sagittis id consectetur. Elit sed vulputate mi sit amet mauris commodo quis. Eu feugiat pretium nibh ipsum consequat nisl vel pretium lectus. Hac habitasse platea dictumst vestibulum rhoncus est pellentesque elit ullamcorper. Dignissim sodales ut eu sem integer vitae justo eget. Quisque sagittis purus sit amet volutpat consequat.



Source link

U.S. CISA adds a flaw in Drupal Core to its Known Exploited Vulnerabilities catalog

10,000+ Vulnerabilities Found in One Month, and the Patching Problem Has Never Been More Obvious

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 98

Copyright © 2024 All Rights Reserved.