WordPress Plugin Vulnerabilities

ShapedPlugin Multiple Pro Plugins - Backdoor via Compromised Vendor Update Server

Description

Multiple ShapedPlugin Pro plugins were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.

Confirmed malicious builds: Smart Post Show Pro 4.0.1, Product Slider for WooCommerce Pro 3.5.2, and Real Testimonials Pro 3.2.4, each pulled by the vendor and superseded by a clean release. However, there hasn't been any public statement from the vendor, who ghosted us after reporting the issue to them.

Indicators of compromise:
- C2 / dropper host: 194.76.217.28:2871
- Beacon: POST http://194.76.217.28:2871/api.php
- Dropper URL: http://194.76.217.28:2871/files/woocommerce-subscription.zip
- Persistent stage filename: wp-content/plugins/woocommerce-subscription/install-persistent.php
- Malicious file in primary build: includes/class-smart-show-pro-installer.php

Affects Plugins

Plugin icon
smart-post-show-pro
Fixed in 4.0.2
Plugin icon
testimonial-pro
Fixed in 3.2.5
Plugin icon
woo-product-slider-pro
Fixed in 3.5.3

References

CVE
CVE-2026-10735

Miscellaneous

Original Researcher
Mike Gozdiskowski
Submitter
Mike Gozdiskowski
Verified
Yes
WPVDB ID
160ee7f7-91b6-4cce-9462-837130621402

Timeline

Publicly Published
2026-06-03 (about 15 days ago)
Added
2026-06-03 (about 14 days ago)
Last Updated
2026-06-03 (about 14 days ago)

Other

Published
Title
Published
2017-12-28
Title
WP No External Links 4.2.1-4.2.2 - Backdoored
Published
2017-12-19
Title
Captcha 4.3.6–4.4.4 - Backdoored
Published
2026-04-07
Title
Smart Slider 3 Pro 3.5.1.35 - Compromised Plugin
Published
2020-01-27
Title
blnmrpb - Webshell in Fake Plugin
Published
2017-12-28
Title
No Follow All External Links 2.1.0-2.3.0 (current) - Backdoored