A significant supply chain attack on the ShapedPlugin WordPress plugin, discovered by Wordfence on June 11, 2026, compromised plugins distributed via official channels. Hackers injected malware into premium updates, particularly targeting Easy Digital Downloads while leaving free versions intact. The malware, which includes a backdoor, not only steals user credentials but also two-factor authentication secrets. It creates persistent access points for attackers, allowing them to manipulate sensitive data easily.
Multiple vulnerabilities were identified, with CVE-2026-10735 marked as critical (9.8 severity). Affected users are urged to scan their sites, check for malicious files, and rotate passwords immediately as traditional security measures may not suffice.