Do you still trust the "Update Plugin" button on WordPress after this incident?

Overview
Over the years, the cybersecurity community has become accustomed to testing WordPress plugins from unknown sources, crack repositories, or free sharing websites. However, what if the update downloaded from the developer's official server itself contains malicious code?
That is exactly what happened in the ShapedPlugin Supply Chain Attack incident announced in late June 2026.
Attackers do not distribute fake plugins, nor do they trick administrators into installing software from third-party websites. Instead, they infiltrated ShapedPlugin's development chain (Software Supply Chain) and installed backdoors directly into official updates for paying customers.
Different from normal vulnerability exploitation campaigns, this is a clear demonstration of modern attack trends: instead of attacking individual victims, attackers target software providers to turn them into "distributors" of malicious code.
Context and scope of the campaign
Who is ShapedPlugin?
ShapedPlugin is a popular WordPress plugin developer that focuses on commercial plugins for e-commerce, product display, filters, sliders, and many WooCommerce widgets.
Their plugins are installed on tens of thousands of WordPress websites, especially sales websites using WooCommerce.
Some prominent plugins include:
Product Slider Pro for WooCommerce
Logo Showcase
WooCommerce Quick View
Woo Product Carousel
Real Testimonials
Post Carousel
Smart Post Show
That's why ShapedPlugin's server is the only "reliable source" that customer websites use to receive updates. This is also the weak link that is exploited by attackers
What happened?
According to Wordfence's investigation, attackers infiltrated ShapedPlugin's software distribution system and replaced some Pro plugin packages with backdoored versions.
The dangerous point lies in the fact that: Website administrators completely trust the update server.
From this perspective we can easily imagine that the entire process is valid.
No strange plugins.
There are no warnings.
No malicious code was downloaded from an external website.
All come from the official server.
Why is this a Supply Chain Attack?
For a typical attack, the attacker will target the victim's website directly.
But in this case they chose a different path:
Attacker -> Developer Infrastructure -> Official Update Server -> Thousands of Customers
The difference lies in scale. If exploiting each individual WordPress website, the attacker would have to repeat the process thousands of times. But when you control the update pipeline, just one malicious code installation is enough for every customer who downloads the update after that to become a victim.
This is a model that has appeared in famous cases such as:
SolarWinds Orion (2020)
Codecov Bash Uploader (2021)
3CX Desktop App (2023)
XZ Utils Backdoor (2024)
The ShapedPlugin incident shows that open source ecosystems like WordPress are also becoming targets of similarly sophisticated supply chain campaigns.
Plugin is confirmed to be infected
| Plugin | Affected (Backdoored) Version | Patched (Clean) Version | CVE |
|---|---|---|---|
| Product Slider Pro for WooCommerce | < 3.5.4 | 3.5.4 and later | CVE-2026-49777 |
| Real Testimonials Pro | 3.2.5 (confirmed backdoored) | Latest patched release | CVE-2026-10735 |
| Smart Post Show Pro | < 4.0.2 | 4.0.2 and later | CVE-2026-10735 |
Event timeline
| Date | Event |
|---|---|
| 2025-05-03 | Earliest timestamp found for Adminer 5.2.1 within the malicious payload, indicating the toolkit had been prepared more than a year before the attack was deployed. |
| 2026-03-16 | Tiny File Manager 2.6 was added to the attack toolkit included in the payload. |
| 2026-03-25 | Final SVN commit made under the rubel_miah account, the original developer of ShapedPlugin. |
| 2026-04-08 – 2026-04-15 | Suspicious activity: Seven free plugins were batch-deployed to the WordPress.org SVN repository under the shapedplugin account. All commits referenced "Update from GitHub," marking the earliest known indicator that the release pipeline may have been compromised. |
| 2026-05-09 | The attackers finalized the credential stealer and persistence mechanisms embedded within the malicious payload. |
| 2026-05-10 | The attacker-controlled domain 2faplugin.org was updated, approximately 11 days before the malicious code injection into official plugin releases. |
| 2026-05-18 | The first known victims were compromised, as evidenced by cache poisoning artifacts observed during forensic analysis. |
| 2026-05-21 | LicenseLoader.php was injected into the affected Pro plugin builds, marking the beginning of the active supply chain attack. On the same day, CVE-2026-49777 was privately reported to Patchstack. |
| 2026-06-04 | CVE-2026-49777 was publicly disclosed. |
| 2026-06-10 | A Wordfence customer reported signs of compromise after updating Real Testimonials Pro. |
| 2026-06-11 | The incident was escalated to the Wordfence Threat Intelligence team. ShapedPlugin was also notified after one of its customers reported the compromise. |
| 2026-06-12 | Wordfence successfully downloaded a backdoored plugin package directly from the vendor's official update endpoint, confirming that the supply chain compromise was still active. |
| 2026-06-15 | Wordfence established direct communication with the ShapedPlugin team to coordinate incident response. |
| 2026-06-16 | ShapedPlugin published an official statement acknowledging the incident and announced remediation efforts. On the same day, Wordfence released a Public Security Advisory (PSA) warning users of the active supply chain attack. |
| 2026-06-23 | Security Affairs published its report covering the supply chain compromise. |
| 2026-06-26 | Joseph Charnin published an in-depth technical analysis of the ShapedPlugin supply chain attack. |
Kill Chain / Attack Flow — Technical Analysis
To understand the danger of this campaign, it is necessary to look at it from the perspective of the entire attack chain instead of just focusing on the malicious code installed in the plugin. Unlike traditional WordPress exploit attacks, where the target is individual websites, this campaign takes advantage of trust between developers and customers to turn a legitimate update mechanism into a backdoor distribution channel.
Phase 1 – Penetrating development infrastructure (Initial Compromise)
There is currently no official announcement about the initial access point, however from technical evidence it can be seen that the attacker was able to:
Access the plugin build or packaging system.
Or access the server that distributes the update.
Or take over an account with permission to release a new version.
These are the only three locations that allow malicious code to appear simultaneously in multiple Pro plugins but still be distributed through the official update channel.
We can imagine the plugin release architecture as follows:
An attacker only needs to control one link in this chain to spread malicious code to all customers. This is why Supply Chain attacks often have a very high success rate.
Stage 2 – Insert Backdoor into Plugin
After gaining access, the attacker did not change the entire plugin but only added a small piece of PHP to the source code.
This is a popular tactic because:
makes little difference when comparing source code;
The plugin still works normally;
User fails to detect functional error;
The update process did not fail.
In other words: "The plugin still performs the correct e-commerce function, but at the same time opens an additional "backdoor" for attackers."
This is the most dangerous type of backdoor because the ability to hide is very high.
Phase 3 – Spread via Official Update
This is completely different from regular WordPress malware.
Normally: Attacker -> Upload Malware -> Victim Website
In this case: Official Update -> WordPress Download -> Install Plugin -> Backdoor Active.
The WordPress website does not know that the plugin has been modified. For WordPress: valid version, valid source, valid checksum according to the developer;, valid API update. Therefore, no warnings appear.
Phase 4 – Backdoor activation
According to Wordfence analysis, the malicious code is designed to wait for a special HTTP request before taking action. This helps limit the possibility of detection during normal use.
Instead of automatically running immediately after installation, the backdoor only activates when it receives parameters or conditions that the attacker controls. This approach brings many benefits:
reduces the likelihood of detection by behavioral scanning tools;
Avoid causing errors or changing plugin functionality;
allows attackers to choose when to exploit.
Some variants also use dynamic PHP functions such as eval(), base64_decode(), gzinflate() or create_function() to decode and execute the payload in memory instead of directly storing the malicious code in a readable form. These are familiar techniques that make analysis and identification difficult.
Giai đoạn 5 – Remote Code Execution
Once activated, the backdoor allows remote execution of PHP code with the permissions of the web server process (for example, www-data, apache or nginx, depending on the system).
If the website is poorly configured or the web server has write access to the application directory, an attacker can:
upload to webshell;
edit WordPress files;
create a new admin account;
change website content;
install additional malicious plugins;
steal configuration data.
In the WordPress environment, simply executing PHP code is almost synonymous with taking control of the entire website.
Stage 6 – Establishing Persistence
A backdoor is only valuable if it maintains long-term access.
Once you have permission to execute code, the next steps typically include:
create hidden Administrator account;
install other malicious plugins;
insert code into functions.php;
write webshell to uploads folder;
create a Scheduled Task or WP-Cron to reload the payload if deleted.
This makes simply removing infected plugins not a guarantee of a completely clean system. Administrators need to thoroughly check to detect persistence mechanisms that have been set up after the backdoor is active.
Stage 7 – Final goal
Once in control of a website, attackers can pursue many different goals:
Information theft
WordPress websites usually host:
customer information;
e-mail;
phone number;
Address;
order history;
API Key;
database connection information.
This is all valuable data on the black market.
Hijack WooCommerce
If the website operates an online store, the target can:
change payment information;
payment gateway redirection;
stealing order information;
insert skimmer code to collect payment data.
Spreading malware
Legitimate websites with large amounts of traffic can be exploited to:
spreading malicious code;
user redirection;
phishing;
distribute ransomware or other payloads.
Building Botnets
A hijacked WordPress website can also become a "node" in a botnet to:
spamming;
perform DDoS;
scan the Internet for new targets;
serve as an anonymous proxy for other activities.
Evidence of CI/CD Pipeline Compromise
Wordfence provides 4 independent pieces of evidence that this is a CI/CD pipeline compromise, not manual package tampering after distribution:
Surgical File Modification
Analysis of timestamps in infected ZIP packages:
| Date | Number of Files | Significance |
|---|---|---|
| 2025-04-22 | 366 files | Baseline legitimate build released prior to the compromise. |
| 2026-02-25 | 100 files | Legitimate plugin release update with no known malicious modifications. |
| 2026-05-21 | 4 files | Backdoor injection introduced into the plugin, marking the beginning of the supply chain compromise. |
| 2026-05-23 | 3 files | Version bump following the backdoor injection, likely intended to distribute the compromised build through the official update channel. |
Only 4 files were changed in a 2-hour window on May 21, 2026 — consistent with an automated build step inserted into the pipeline, not a manual operation.
Git Build Artifacts
In vendor/composer/installed.php of Pro plugin ZIP exists git SHA reference:
'reference' => 'd0f349c04c2a3578a65b7e17bcabc84152a61b12',
This confirms the package was built from a private git repository, consistent with SVN commit messages referencing "Update from GitHub". ShapedPlugin GitHub organization has no public repository — it's all private pipeline.
SVN Committer Pattern Change
WordPress.org SVN logs show unusual changes:
Before March 25, 2026: commits under account rubel_miah
From April 8, 2026: 7 free plugins will be batch-deployed under the shapedplugin account during the period August 4 - April 15
Switching committer accounts and batch deployments without following the usual cadence is the clearest sign of pipeline takeover.
Selective Injection Strategy
The attacker had enough access to inject malware into both WordPress.org free plugins and EDD Pro plugins, but only targeting Pro builds. This suggests at least one of three reasons:
Awareness of WordPress.org malware scanning — injecting free plugins will be detected faster
Pro plugin users are paying customers with higher value (WooCommerce stores, agencies)
Minimize noise to prolong dwell time
Indicators of Compromise (IOC)
Network Indicators
194.76.217.28:2871
generate.2faplugin.org
2faplugin.org
File Indicators
0e17c869d3e4586d4c160041042bd15123c2a37117a98a995fae885f0f4417fc
e268c35a06d85f672e70c9beecb4e5d
MITRE ATT&CK Mapping
| Tactic | Technique | Description |
|---|---|---|
| Initial Access | T1195.002 — Supply Chain Compromise: Software Supply Chain | Compromises the vendor's software build or distribution pipeline. |
| Execution | T1059.004 — Command and Scripting Interpreter: Unix Shell | Executes shell commands through a web shell using URL parameters. |
| Execution | T1106 — Native API | Uses the WordPress Plugin_Upgrader API to install a malicious (fake) plugin. |
| Persistence | T1505.003 — Server Software Component: Web Shell | Establishes persistence by installing a web shell through the fake plugin. |
| Persistence | T1505.004 — Server Software Component: IIS Components (Adapted: REST Backdoor) | Implements a REST API backdoor that allows arbitrary file writing. |
| Defense Evasion | T1036.005 — Masquerading: Match Legitimate Name or Location | Disguises the malicious plugin as a legitimate WooCommerce plugin using the name woocommerce-subscription. |
| Defense Evasion | T1070.004 — Indicator Removal: File Deletion | Deletes the loader and data exfiltration files after execution to remove forensic evidence. |
| Defense Evasion | T1027 — Obfuscated Files or Information | Obfuscates function names using chr() array-based string construction. |
| Credential Access | T1539 — Steal Web Session Cookie | Captures users' session cookies via the wp_login hook. |
| Credential Access | T1003 — OS Credential Dumping (Adapted: WordPress Credential Hook) | Captures plaintext user credentials via the wp_authenticate hook. |
| Credential Access | T1552.001 — Unsecured Credentials: Credentials In Files | Reads and exfiltrates credentials stored in wp-config.php. |
| Collection | T1213 — Data from Information Repositories | Collects WooCommerce orders, administrator accounts, and SMTP credentials. |
| Exfiltration | T1041 — Exfiltration Over C2 Channel | Exfiltrates collected data to the command-and-control (C2) server at generate.2faplugin.org. |
Expert Comments
Why Stealing 2FA Secret Is The Most Dangerous Point
In most common credential theft incidents, changing the password immediately after discovery is enough to revoke the attacker's access. This incident breaks that assumption.
Attackers don't just capture passwords — they capture TOTP seeds (original secret to generate OTP code). TOTP seed is a static string that does not change between logins; Once you have the seed, the attacker can generate a valid OTP code at any time in the future without needing the victim's device. Even if the victim finds out and changes the password, the account is still compromised if they forget to revoke the 2FA secret.
What makes it more complicated: the four most popular 2FA plugins in the WordPress ecosystem were all targeted. If a site uses Wordfence Login Security for admin accounts and WP 2FA as a backup — both will be drained.
The Sophistication of Pipeline Compromise
Not every supply chain attack requires a high level of sophistication. But this campaign has some notable features:
Long-term preparation: Timestamp of Adminer 5.2.1 (attack tool) from May 2025 — more than 1 year before the attack actually occurred. The attacker has been perfecting the toolset for a long time.
Pipeline control: Switching SVN committer and batch-deploying 7 plugins in 1 week shows deep access to CI/CD infrastructure, not just access to one package at a time.
Selective injection for optimal dwell time: Skip free plugins (with WordPress.org scanning) to focus on Pro builds — decide with a clear strategy.
In our opinion, this is an actor with a better level of preparation and operational discipline than most commodity malware campaigns. However, we do not have enough evidence to attribute any specific threat actor or country — IP hosting at AEZA GROUP LLC (Russian-registered) is circumstantial evidence, not attribution.
Perspectives on Organizations in Vietnam
The WordPress ecosystem in Vietnam has a unique characteristic: many agencies and freelance developers manage dozens to hundreds of client sites with a set of Pro plugins purchased under a multi-site license. ShapedPlugin Pro is on the list of popular plugins used on both e-commerce and corporate sites.
This creates risk for the agency's own supply chain: if the agency's developer account is compromised, their entire client sites are at risk. Attackers don't need to attack individual sites — they just need to attack the site's management unit.
Risk arising from exfiltrated WooCommerce data: if the client site has WooCommerce and processes orders from end-users in Vietnam, that organization is obliged to notify personal data breaches according to Decree 13/2023/ND-CP on personal data protection. Exposed SMTP credential also opens up the risk of further phishing targeting the customer base of that site.
Recommended
Immediate (0–24 hours)
Check IOC in log:
Grep web server/outbound proxy log for C2 IP
grep "194.76.217.28" /var/log/apache2/access.loggrep "194.76.217.28" /var/log/nginx/access.log
Check DNS query to exfil domain
grep "2faplugin.org" /var/log/named/queries.log
Check file artifacts:
Find fake plugin directory
ls -la wp-content/plugins/ | grep -E "woocommerce-subscription$|woocommerce-notification$"
Find loader file
- find . -name "LicenseLoader.php" 2>/dev/null
Check wp_options for persistence markers
wp option get theme_options_scriptswp option get wc_nf_install_done
Reset credentials immediately if compromise is detected:
Change passwords for all admin accounts
Revoke and regenerate 2FA secret for all admins (disable and re-setup authenticator app)
Invalidate all active sessions: wp session destroy --all
Short-term (1–7 days)
Audit administrator accounts:
List all admin users với registration date
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered
Look for unrecognized accounts, especially accounts created between May 21 - June 10, 2026.
Check and rotate SMTP credentials:
WP Mail SMTP, Post SMTP, Easy WP SMTP: check API key/password
If using SendGrid/Mailchimp: rotate API keys from the service provider dashboard
Enable SMTP authentication logging for the next 30 days to detect unauthorized relay
Update to clean version:
Product Slider Pro for WooCommerce → 3.5.4+
Smart Post Show Pro → 4.0.2+
Real Testimonials Pro → Latest release (verify with ShapedPlugin team)
Full malware scan:
Use Wordfence CLI if available
- wfcli malware-scan /var/www/html/
Hoặc dùng YARA rule cho IOC file paths
- yara shapedplugin_ioc.yar /var/www/html/wp-content/plugins/
Evaluate data breach notification obligations:
If the site has WooCommerce orders data: review the number of affected customers
Decree 13/2023/ND-CP requires notification of personal data breaches to competent authorities within 72 hours
Long-term (> 7 days)
Don't completely disable auto-update for premium plugins — but add a layer of control:
File integrity monitoring: Configure Wordfence (or equivalent) to alert when there are file changes in wp-content/plugins/
Staging-first update policy: All premium plugin updates must be tested on staging 24–48 hours before applying to production
Outbound connection monitoring: Block or alert outbound connection from webserver to IP/port not in whitelist — 194.76.217.28:2871 is not a normal port
Changes to the vendor plugin management process:
When choosing a premium plugin vendor, prioritize a vendor that has:
Public changelog clearly with diff or commit reference
Code signing or checksum verification for the package
Transparent disclosure history when there is a security incident
Apply the principle of least privilege to WordPress:
The Admin account should only exist when needed — use the Editor role for normal content management
2FA is mandatory but there must be a process to revoke secrets when needed (not just changing passwords).
Reference
ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates
Multiple ShapedPlugin Plugins < (Various Versions) - Backdoored Software
ShapedPlugin Supply Chain Attack (CVE-2026-49777): 400,000+ WordPress Sites Backdoored





