{"id":279319,"date":"2026-06-23T04:22:00","date_gmt":"2026-06-23T08:22:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/23\/shapedplugin-supply-chain-attack-backdoors-pro-plugin-updates\/"},"modified":"2026-06-23T06:10:33","modified_gmt":"2026-06-23T10:10:33","slug":"shapedplugin-supply-chain-attack-backdoors-pro-plugin-updates","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/23\/shapedplugin-supply-chain-attack-backdoors-pro-plugin-updates\/","title":{"rendered":"ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates"},"content":{"rendered":"<p><a href=\"https:\/\/securityaffairs.com\/194059\/hacking\/shapedplugin-supply-chain-attack-backdoors-pro-plugin-updates.html?amp\">ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates<\/a><\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/194059\/hacking\/shapedplugin-supply-chain-attack-backdoors-pro-plugin-updates.html?amp\">https:\/\/securityaffairs.com\/194059\/hacking\/shapedplugin-supply-chain-attack-backdoors-pro-plugin-updates.html?amp<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-23 04:22:00<\/a><\/p>\n<p>Source Domain: <a href=\"securityaffairs.com\">securityaffairs.com<\/a><\/p>\n<p><h2>ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates<\/h2>\n<\/p>\n<p>\t\t\t\t\t\t\t<span> Pierluigi Paganini<\/span><br \/>\n\t\t\t\t\t\t\t<span><img decoding=\"async\" src=\"https:\/\/securityaffairs.com\/wp-content\/themes\/security_affairs\/images\/clock-icon.svg\" alt=\"\"\/> June 23, 2026<\/span><\/p>\n<p>\t\t\t\t\t\t<img decoding=\"async\" class=\"img-fluid mb-4\" src=\"https:\/\/i0.wp.com\/securityaffairs.com\/wp-content\/uploads\/2015\/05\/DOM-based-XSS-wordpress-2.jpg?fit=610%2C390&#038;ssl=1\" alt=\"\"\/><\/p>\n<h2 class=\"wp-block-heading\">Attackers backdoored ShapedPlugin Pro updates, deploying malware that steals credentials, 2FA secrets, and grants full site access.<\/h2>\n<p class=\"wp-block-paragraph\">If you installed a ShapedPlugin Pro plugin between April and June 2026 and kept it updated, your site may be compromised. Not because you did something wrong, but because the vendor\u2019s own build and distribution pipeline was breached. Cybersecurity firm Wordfence confirmed the attack on June 12th after obtaining a backdoored copy of Real Testimonials Pro 3.2.5 directly from ShapedPlugin\u2019s official update endpoint.<\/p>\n<p class=\"wp-block-paragraph\">ShapedPlugin is a WordPress software company that develops premium and free plugins for WordPress and WooCommerce websites. Founded in 2015, it offers plugins for carousels, galleries, testimonials, weather widgets, accordions, product displays, team showcases, and other website functions. Its products are used by hundreds of thousands of websites worldwide.<\/p>\n<p class=\"wp-block-paragraph\">The WordPress plugin vendor has over 400,000 active free plugin installations<\/p>\n<p class=\"wp-block-paragraph\">\u201cDuring our investigation, we discovered that attackers compromised the vendor\u2019s build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels.\u201d reads the report published by Wordfence. \u201cAs with all supply chain compromises, this attack is particularly insidious because affected site owners followed security best practices: they purchased legitimate licenses and installed updates directly from the vendor\u2019s official update system. Supply chain compromises are becoming significantly more common in all software, including WordPress software.\u201d<\/p>\n<p class=\"wp-block-paragraph\">The researchers confirmed that at least three Pro plugins were compromised: Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. Free plugins on WordPress.org were&#8230;<\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/194059\/hacking\/shapedplugin-supply-chain-attack-backdoors-pro-plugin-updates.html?amp\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates https:\/\/securityaffairs.com\/194059\/hacking\/shapedplugin-supply-chain-attack-backdoors-pro-plugin-updates.html?amp Publish Date: 2026-06-23 04:22:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":279320,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2015\/05\/DOM-based-XSS-wordpress-2.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32],"class_list":["post-279319","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/279319"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=279319"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/279319\/revisions"}],"predecessor-version":[{"id":279321,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/279319\/revisions\/279321"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/279320"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=279319"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=279319"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=279319"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}