What went down (short version)

Alright, grab your digital umbrella — ShapedPlugin’s paid (Pro) plugins were tampered with and shipped to paying customers via their official update system. Researchers found malicious code sneaked into the vendor’s release pipeline, meaning legitimate licensed updates turned into a tasty delivery vehicle for malware. Think of it as a trusted package that somehow came with a surprise gremlin inside.

The compromise only affected the Pro builds delivered through the vendor’s Easy Digital Downloads account system. Free copies on the official WordPress repository were not touched.

  • Product Slider Pro for WooCommerce (versions before 3.5.4)
  • Real Testimonials Pro (version 3.2.5)
  • Smart Post Show Pro (versions before 4.0.2)

Security teams assigned CVE identifiers to the problem (one of them is CVE-2026-49777) and gave it very high severity scores — yes, it’s bad. The injected loader runs on admin pages, pulls a payload from a remote host (seen contacting 194.76.217.28:2871), installs that payload disguised as a fake plugin, then activates it.

This fake plugin then hides itself from the plugins list, reports the infected site back to the attacker, and tries to scrub traces by deleting some files. It can capture plaintext login details and 2FA codes, drop a web shell, and expose a custom REST endpoint that allows arbitrary file writes if the attacker presents the correct token.

In short: the supply chain got hijacked and the installer turned into a backdoor delivery system for the attackers.

If you grabbed the naughty update — what to do next

If you updated one of the affected Pro plugins from the vendor’s official channel, assume compromise until proven otherwise. Don’t panic like a cat in a cucumber patch; follow these steps methodically.

  • Reset all user passwords immediately (admins first) and force logout of active sessions.
  • Revoke and regenerate all 2FA secrets for every user — don’t skip this.
  • Inspect administrator accounts for any extra, unauthorized users and remove anything suspicious.
  • Check mail plugins (WP Mail SMTP, Post SMTP, Easy WP SMTP) for changed SMTP credentials and rotate any exposed secrets.
  • Scan for web shells or unexpected files — the malware used an installer named install-persistent.php and then erased itself after extracting data.
  • Review recent WooCommerce orders (last 3 months) for oddities if you run a shop; order/payment info may have been read.
  • Restore from a clean backup if you have one from before the malicious update; otherwise consider a professional incident response to fully purge persistence.

Why this is especially nasty: customers who did everything right — paid for licenses and let their plugins auto-update — were the ones hit. The attackers didn’t need to trick site owners into clicking anything; they poisoned the build/distribution process instead.

ShapedPlugin has acknowledged the problem and is reviewing its distribution and build steps. Expect patched releases after careful security checks. Until then, treat affected Pro installs as compromised and follow the cleanup checklist above.

Final tiny note: if you’re thinking about vendor-supplied updates, this is a reminder to keep backups, monitor admin accounts, and consider staging updates before installing on production sites. Also, maybe buy the digital equivalent of a tinfoil hat (just kidding — but not really).