ShapedPlugin's Official Update Server Delivered Backdoors for 28 Days

The most dangerous clicks in security aren't spam links or phishing emails — they're the ones that look completely routine. On May 21, 2026, attackers quietly compromised ShapedPlugin's build and distribution pipeline, and for the next 28 days, every WordPress admin who clicked "update" on three of the company's premium plugins received a credential-stealing backdoor delivered from ShapedPlugin's own official servers.

This is a supply chain attack in its most insidious form: not a vulnerability in the plugin code itself, but a compromise of the vendor's infrastructure that weaponizes the very trust mechanism site owners are supposed to rely on.

How the Build Pipeline Was Compromised

Wordfence Threat Intelligence received reports of suspicious activity on June 11, 2026, and confirmed that ShapedPlugin's Easy Digital Downloads (EDD) update system — the commercial licensing platform the company uses to deliver paid plugin updates — had been infiltrated. Forensic analysis showed attackers modified four files within a two-hour window on May 21, with timestamp patterns consistent with an automated injection process rather than manual tampering. Researchers found references to private Git repositories in plugin metadata aligned with ShapedPlugin's release workflow, suggesting deep access to development systems, not just the distribution endpoint.

The poisoned updates were still being served from ShapedPlugin's official endpoints as late as June 12 — more than three weeks after the initial compromise. The vendor publicly acknowledged the breach on June 16 and published clean updates shortly after.

What the Backdoor Actually Did

The malicious code introduced a loader file called LicenseLoader.php that activates whenever an administrator visits the WordPress dashboard. On activation, it contacts a command-and-control server at 194.76.217[.]28:2871 and downloads a second-stage payload disguised as a legitimate WooCommerce plugin — appearing on disk as woocommerce-subscription or woocommerce-notification and hidden from the standard plugin list. That payload then self-deletes its installer to erase traces while leaving persistent access mechanisms behind.

The full capability set shows this wasn't a rushed smash-and-grab. The backdoor bundle included:

• Credential interception: Captured plaintext WordPress usernames, passwords, session cookies, IP addresses, and browser details at the login form
• 2FA seed theft: Extracted TOTP secrets from four major two-factor plugins — WP 2FA, Wordfence Login Security, Really Simple SSL 2FA, and Two-Factor — exfiltrating seeds to generate.2faplugin.org, a domain the attackers registered specifically for this operation
• Database access: Harvested wp-config.php credentials, authentication keys, and salts
• Email and API credentials: Pulled SMTP configuration from installed mail plugins
• WooCommerce order data: Extracted three months of order records including payment information
• Persistent file access: Deployed Tiny File Manager 2.6 and Adminer 5.2.1 as embedded tools, plus REST API backdoor endpoints permitting arbitrary file writes

The 2FA theft deserves particular attention. Stealing a TOTP seed isn't the same as intercepting a one-time code — it gives an attacker the ability to generate valid codes indefinitely, permanently bypassing 2FA on every affected account until administrators regenerate their secrets from scratch. Resetting a password alone won't fix this.

Which Plugins Are Affected

Only ShapedPlugin's commercial products distributed through its EDD licensing platform were compromised. Free versions on WordPress.org are clean. The three affected plugins and their patched versions:

• Product Slider Pro for WooCommerce — update to v3.5.4 or later (CVE-2026-49777, CVSS 10.0)
• Real Testimonials Pro — v3.2.5 is backdoored; update to v3.2.6 (CVE-2026-10735, CVSS 9.8)
• Smart Post Show Pro — update to v4.0.2 or later (CVE-2026-10735)

If you or your clients ran any of these premium plugins between May 21 and June 18, 2026, treat the site as compromised until you complete a full remediation.

What to Do Right Now

Updating to the patched versions is the first step, not the last. Clean plugin files don't undo backdoors already written to disk or credentials already exfiltrated. Work through this in order:

• Update all three plugins to their patched versions immediately
• Scan the filesystem: Look inside wp-content/plugins/ for directories named woocommerce-subscription or woocommerce-notification that don't appear in your admin plugin list — delete them
• Audit administrator accounts for any unfamiliar users and remove them
• Rotate every credential: WordPress admin passwords, database passwords, wp-config.php salts and authentication keys, SMTP credentials, and any API keys stored in configuration files
• Regenerate 2FA secrets for all administrator accounts — this means forcing fresh TOTP enrollment, not just changing passwords. The seeds may have been exfiltrated; a new password behind a compromised TOTP seed is still a compromised account
• Review WooCommerce orders and payment configuration for unauthorized changes or data access over the past 60–90 days
• Check server and firewall logs for outbound connections to 194.76.217.28 or DNS lookups for any subdomain of 2faplugin.org

Why Supply Chain Attacks Are Particularly Hard to Stop

Supply chain attacks are expensive to defend against precisely because they exploit correct behavior. A WordPress site updating a plugin from the vendor's official server isn't doing anything wrong — the attack surface isn't the plugin, it's the entire chain from developer workstation to build system to distribution endpoint to your dashboard. Traditional defenses (WAF, malware scanning, login security) don't catch a backdoor that arrives signed and verified from the vendor's own CDN.

This is the second notable WordPress supply chain compromise in recent memory, following the Gravity SMTP incident in June. The pattern is becoming established enough that "keep plugins updated" is no longer complete advice — you also need visibility into what those updates actually contain. File integrity monitoring, outbound connection alerts, and post-update plugin audits are no longer optional on production sites running commercial plugins.

At Falcon Internet, supply chain hygiene is one reason we audit plugin sources on managed sites rather than tracking version numbers alone — because a backdoored package's version number looks exactly right.