A recent supply chain attack targeted ShapedPlugin, a WordPress plugin vendor, whereby attackers compromised its build and distribution pipeline, injecting backdoor malware into Pro plugin updates. Users who installed or updated any ShapedPlugin Pro products between April and June 2026 may have exposed their sites to severe threats including credential theft and unauthorized access.
The attack was confirmed by cybersecurity firm Wordfence, highlighting that the infected plugins, notably Product Slider Pro, Real Testimonials Pro, and Smart Post Show Pro, were disseminated through legitimate channels. The malware features a loader that installs a fake plugin while eliminating traces of itself, complicating detection. It stealthily collects two-factor authentication secrets and communicates stolen data through a domain mimicking legitimate traffic. Wordfence urged affected site owners to immediately scan, change passwords, and regenerate 2FA secrets.