Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

ShapedPlugin hit by network compromise

Incident
First reported
Last updated
Happening score
H score 20
1 unique sources, 1 articles

Summary

Hide ▲

ShapedPlugin suffered a supply-chain compromise that pushed infected WordPress plugin releases to paying customers through the vendor's official update system, putting affected sites at risk of credential theft and remote file-writing. The incident affected Product Slider Pro before 3.5.4 for WooCommerce, Real Testimonials Pro 3.2.5, and Smart Post Show Pro before 4.0.2. Researchers tied the backdoor injection to May 21 and confirmed malicious downloads on June 12. The vendor acknowledged the incident on June 16 and began preparing updated releases.

Related Happenings

ShapedPlugin LicenseLoader fake WooCommerce backdoor

Malware Activity
H score21 First: 18.06.2026 15:55 Last: 18.06.2026 15:55 Sources 1

How related: According to Wordfence’s analysis, the infected plugins contain a malicious loader file (LicenseLoader.php) that activates when a WordPress administrator accesses the website’s admin panel.

About this happening: The **LicenseLoader.php** malware embedded in infected ShapedPlugin releases now enables **credential theft**, **2FA secret theft**, and **remote file-writing** on compromised Wor...

Open Happening

Everest Forms Pro plugin actively exploited RCE (CVE-2026-3300)

Vulnerability
H score87 First: 04.06.2026 19:15 Last: 04.06.2026 19:15 Sources 1

About this happening: **Everest Forms Pro** has an **actively exploited** critical **remote code execution** flaw, **CVE-2026-3300**, that lets unauthenticated attackers run **PHP** and take over **Wor...

Open Happening

Funnel Builder security patch release (version 3.15.0.3)

Security Patch Release
H score77 First: 16.05.2026 18:20 Last: 16.05.2026 18:20 Sources 1

About this happening: **FunnelKit** released **version 3.15.0.3** to fix a **Funnel Builder** flaw that was being **actively exploited** to inject malicious JavaScript into **WooCommerce checkout pages...

Open Happening

Smart Slider 3 Pro update system for WordPress hit by network compromise

Incident
H score76 First: 09.04.2026 19:15 Last: 09.04.2026 19:15 Sources 1

About this happening: The **Smart Slider 3 Pro** update system was compromised, and a **malicious 3.5.1.35** release was pushed to **WordPress and Joomla** sites. The bad update could create **hidden a...

Open Happening

Chinese state-sponsored campaign to hijack Notepad++ update traffic

Campaign
H score32 First: 02.02.2026 16:53 Last: 02.02.2026 16:53 Sources 1

About this happening: A **months-long campaign** hijacked **Notepad++ update traffic**, selectively sending some users to malicious servers and threatening the integrity of software updates. The operat...

Open Happening

Timeline

  1. 18.06.2026 15:55 1 articles · 1h ago

    Backdoor is injected into ShapedPlugin Pro builds

    Exploitation Observed

    Defiant's WordFence data indicates that a backdoor was injected into ShapedPlugin's Pro builds on May 21, marking the compromise point in the vendor's release pipeline. Those infected builds were later distributed through the official update system to paying customers.

    Show sources
    Open in new tab
  2. 18.06.2026 15:55 1 articles · 1h ago

    Customers report potentially malicious ShapedPlugin updates

    Initial Disclosure

    First customer reports about potentially malicious updates emerged on June 10, indicating that paying customers had started flagging ShapedPlugin's plugin releases as suspicious. The reports preceded the later confirmation of infected builds.

    Show sources
    Open in new tab
  3. 18.06.2026 15:55 1 articles · 1h ago

    Researchers confirm infected ShapedPlugin plugin releases contain a backdoor

    Technical Analysis Update

    Researchers confirmed the ShapedPlugin breach on June 12 after downloading infected plugins from the vendor's site. The malicious packages delivered a fake WooCommerce component that stole credentials and enabled remote file-writing on compromised sites.

    Show sources
    Open in new tab
  4. 18.06.2026 15:55 1 articles · 1h ago

    ShapedPlugin acknowledges the compromise and prepares updated plugin releases

    Mitigation Patch Update

    ShapedPlugin acknowledged the incident on June 16, said its team had initiated an investigation and implemented mitigation measures, and stated that updated plugin releases were being prepared and validated before being pushed to the update channels. Wordfence also noted fixes for Product Slider Pro and Smart Post Show Pro.

    Show sources
    Open in new tab
  5. 18.06.2026 15:55 1 articles · 1h ago

    WordPress tracks ShapedPlugin compromise as CVE-2026-10735

    Legal Policy Action Update

    WordPress is currently tracking the ShapedPlugin supply-chain compromise under CVE-2026-10735, and CVE-2026-49777 was also submitted as a duplicate. Releases hosted on WordPress.org were confirmed clean, pointing to ShapedPlugin's release infrastructure as the access path.

    Show sources
    Open in new tab