Site owners running Pro plugins from ShapedPlugin were exposed to a fully featured backdoor delivered through the vendor’s own official update system — meaning users who followed every recommended security practice were still at risk. The malicious code arrived signed and packaged as a legitimate paid update, bypassing conventional security controls.
Wordfence’s Threat Intelligence Team was first notified on June 11th, 2026. Their investigation confirmed that attackers had infiltrated ShapedPlugin’s build and distribution pipeline, which uses Easy Digital Downloads (EDD) via account.shapedplugin.com to deliver Pro plugin releases. The free plugin versions distributed through WordPress.org were not affected — the attacker had targeted access only to the commercial release pipeline. Three Pro plugins carry the confirmed backdoor: Real Testimonials Pro, Product Slider Pro for WooCommerce, and Smart Post Show Pro. The vulnerability is tracked as CVE-2026-10735 with a critical CVSS score of 9.8.

ShapedPlugin published a statement on June 16th, 2026, confirming the breach and outlining their response. The company said new verified plugin versions were being prepared following comprehensive security reviews, but as of Wordfence’s disclosure, the situation remained partially patched — Wordfence confirmed obtaining a backdoored copy of Real Testimonials Pro 3.2.5 directly from the official vendor update endpoint as late as June 12th.
| File | Function |
|---|---|
| woocommerce-subscription.php | Main plugin file — hides the plugin from the admin list |
| install-persistent.php | REST API backdoor and data exfiltration |
| class-wc-admin-template.php | Bundles Tiny File Manager 2.6, a web-based file browser |
| class-wc-template-builder.php | Bundles Adminer 5.2.1, a web-based database management tool |
| class-wc-subscription-diagnostics.php | URL parameter webshell |
| class-wc-subscription-trace-dispatch.php | Credential and two-factor authentication secret stealer |
| class-wc-subscription-scheduler.php | Backdoor login bypass |
The attack runs in two stages. A malicious loader file embedded in the compromised plugin quietly downloads a secondary payload from a command-and-control server at 194.76.217.28:2871, installs it as a fake plugin disguised as WooCommerce-related software, reports the victim domain back to the attacker, then deletes itself — erasing the initial infection vector before most site owners would notice anything was wrong. The fake plugin installs into a directory named woocommerce-subscription (singular, unlike the legitimate WooCommerce Subscriptions plugin which uses the plural form), and immediately hides itself from the WordPress admin plugin list using the all_plugins filter.
The credential theft component is the most consequential part of the payload. The malware hooks into WordPress authentication to capture usernames, passwords, session cookies, user roles, and IP addresses in plaintext. It also specifically targets stored TOTP seeds — the shared secrets used by two-factor authentication apps — from four popular 2FA plugins: WP 2FA, Wordfence Login Security, Really Simple SSL 2FA, and the Two-Factor plugin. Stolen data is sent to generate.2faplugin.org, a domain chosen to blend with legitimate 2FA traffic. Because the attackers hold both the password and the underlying 2FA seed, victims who simply change their password after discovering the breach remain vulnerable.
Wordfence Premium, Care, and Response customers, along with paid Wordfence CLI users, received malware signatures covering this backdoor ahead of the public disclosure. Free Wordfence users received the same signatures after the standard 30-day delay. Anyone running affected ShapedPlugin Pro products should update immediately once verified clean versions are available, audit their site for the fake woocommerce-subscription or woocommerce-notification plugin directories, and treat any stored administrator credentials as compromised — including regenerating 2FA secrets.