ShapedPlugin WordPress Supply Chain Attack: What You Need to Know

If you’re using ShapedPlugin Pro plugins on your WordPress site, you need to stop what you’re doing and read this. Regarding ShapedPlugin attack, On June 18, 2026, security researchers confirmed that several ShapedPlugin commercial plugins were compromised in a supply chain attack. This wasn’t a simple hack. The attackers got into the vendor’s update system itself, which means if you updated your plugins, you may have installed malware directly from what looked like a trusted source.

Here’s what that means for your site. The malicious code stole WordPress login credentials, database passwords, email service credentials, two-factor authentication secrets, and WooCommerce order data from the past three months. If you’re running an online store or handling customer information, this is serious. Your customers’ data may have been exposed without you knowing it.

How the ShapedPlugin Attack Actually Worked

The attackers compromised ShapedPlugin’s update infrastructure, not WordPress.org itself. When paying customers downloaded or auto-updated their Pro plugins, they received a poisoned version. The malware activated when you logged into your WordPress admin panel, then contacted a remote server to download additional malicious code.

The second stage installed itself as a fake plugin with names like “woocommerce-subscription” or “woocommerce-notification.” These fake plugins were hidden from your normal plugin list, making them nearly impossible to spot unless you knew what to look for. The backdoor then started collecting sensitive information from your site and sending it back to the attackers.

Additionally, the malware created a hidden administrator account called “wp_support_sys” on compromised sites. This gave attackers ongoing access to your WordPress dashboard, even if you changed your own password. The code also injected spam links into your site’s footer and modified .htaccess files to maintain persistence.

Which ShapedPlugin Products Were Affected

Three specific plugins were compromised in this attack. Product Slider Pro for WooCommerce (versions before 3.5.4), Real Testimonials Pro (version 3.2.5), and Smart Post Show Pro (versions before 4.0.2) all contained malicious code. The compromise started on May 21, 2026, but wasn’t publicly confirmed until nearly a month later.

Only Pro versions purchased directly from ShapedPlugin were affected. The free versions hosted on WordPress.org remained clean throughout this incident. However, if you have the Pro versions and updated them between May 21 and mid-June 2026, your site is likely compromised.

What Information Was Stolen from Your Site

The malware targeted high-value information that could be used for further attacks or sold on criminal marketplaces. It collected your WordPress admin credentials and session cookies, giving attackers full access to your dashboard. Database credentials and authentication keys from your wp-config.php file were also stolen, potentially exposing your entire database.

If you’re using two-factor authentication plugins, the malware specifically targeted those secrets, effectively bypassing that security layer. Email service credentials (SMTP settings) were exfiltrated, which means attackers could potentially send emails as your domain. For WooCommerce users, the worst news is that order data from the past three months was collected, including customer names, addresses, and purchase information.

The stolen data was sent to a domain called cdn-stats-api[.]com, which was set up to look like a legitimate content delivery network. This made the malicious traffic harder to spot in server logs.

Warning Signs Your Site May Be Compromised

There are several indicators that your site was infected by this ShapedPlugin attack. Check your user list for an administrator account named “wp_support_sys” that you didn’t create. Look in your /wp-content/plugins/ directory for files with names like “class-wp-cache-manager.php,” “init-core-helper.php,” or “wp-db-update.php” that don’t belong to any legitimate plugin.

Your .htaccess file may contain encoded redirects or unusual rewrite rules. Some site owners also noticed spam links appearing in their footer that they didn’t add. If your site is making unexpected outbound connections to unfamiliar domains, that’s another red flag.

Immediate Steps You Need to Take Now

First, update the affected plugins immediately. Product Slider Pro version 3.5.4 and Smart Post Show Pro version 4.0.2 contain fixes for this issue. However, updating alone isn’t enough because the malware included persistence mechanisms.

Go to your Users section and delete the “wp_support_sys” account if it exists. Change every password on your site, including your WordPress admin password, database password, SMTP/email service credentials, and any API keys stored in your site. If you’re using two-factor authentication, regenerate those secrets as well.

Look through your plugins directory for unexpected files and remove them. Download fresh copies of your legitimate plugins from trusted sources and compare them to what’s on your server. Check your .htaccess file for unusual entries and restore it from a known-good backup if necessary.

Turn off auto-updates for ShapedPlugin products until you’re absolutely certain your site is clean. The attackers compromised the update mechanism itself, so you can’t trust it until the vendor confirms they’ve secured their infrastructure.

What This Means for Your Business

If you run an online store, you may have regulatory obligations to report this breach. Customer data was potentially exposed, which could trigger notification requirements under laws like GDPR, CCPA, or other data protection regulations. Consult with a legal professional about your specific obligations.

Beyond compliance issues, there’s the reputational damage to consider. If customers find out their information was exposed through your site, that affects trust. Being proactive about fixing this problem and communicating with affected customers demonstrates you take their security seriously.

The attackers also had full administrative access to your WordPress site, which means they could have done more than just steal data. Review your published content to make sure nothing was modified or added without your knowledge. Check your WooCommerce settings to ensure pricing, shipping, or payment information wasn’t altered.

Why Supply Chain Attacks Are So Dangerous

This ShapedPlugin incident highlights why supply chain attacks are particularly effective. You did everything right by keeping your plugins updated, but the update itself was the attack vector. The malware came from a trusted source, which bypassed your usual security instincts.

WordPress.org has review processes for free plugins, but commercial plugins sold directly by vendors don’t go through the same scrutiny. When you update a Pro plugin from the vendor’s own servers, you’re trusting their security practices. In this case, that trust was exploited.

The attack was sophisticated enough to hide its tracks. Fake plugins that don’t appear in your plugin list, hidden administrator accounts, and legitimate-looking domain names for data exfiltration all made detection difficult. Most site owners wouldn’t have noticed anything wrong until researchers published the details.

How to Protect Against Future Attacks

While you can’t prevent a vendor’s infrastructure from being compromised, you can limit the damage. Consider turning off automatic updates for commercial plugins and reviewing each update manually. This gives you time to check if other users are reporting problems before you install it yourself.

Monitor your site for unexpected file changes using integrity checking tools. Set up alerts for new administrator accounts or unusual database queries. Review your access logs regularly for connections to unfamiliar domains.

Maintain current backups of your site, and test them regularly to make sure they work. If your site gets compromised, a clean backup from before the attack is your fastest path to recovery. Keep those backups offline or in a separate system so they can’t be encrypted or deleted by attackers.

Consider working with a WordPress maintenance service that monitors for these kinds of threats. Having someone watching your site who knows what to look for provides an extra layer of protection. They can often spot and contain problems before they escalate.

What ShapedPlugin Said About the Breach

ShapedPlugin acknowledged the incident on June 16, 2026, two days before it became public knowledge. The company confirmed that their build pipeline and update infrastructure were compromised, not the plugins themselves. They released patched versions and stated that plugins hosted on WordPress.org were never affected.

The vendor hasn’t provided detailed information about how their systems were breached or what security improvements they’ve implemented to prevent future incidents. Until they publish a full post-incident report, questions remain about whether their update infrastructure is now truly secure.

The Bottom Line for Your WordPress Site

If you’re using Product Slider Pro, Real Testimonials Pro, or Smart Post Show Pro from ShapedPlugin, assume your site is compromised until you’ve completed all remediation steps. This isn’t a situation where you can take a wait-and-see approach. The attackers stole credentials that give them ongoing access to your site, and they collected customer data that could be used for fraud or sold to other criminals.

Update to the patched versions immediately. Remove rogue administrator accounts. Change all your passwords and authentication secrets. Scan for unexpected files and remove them.

Review your .htaccess file for modifications. Check your WooCommerce order data to see what was exposed. If you’re unsure about any of these steps, get help from a WordPress security professional.

This attack demonstrates why WordPress security isn’t just about keeping your site updated. You also need to think about the trustworthiness of the vendors you rely on, implement monitoring to detect unusual activity, and have an incident response plan ready. Your WordPress site is a business asset that requires the same kind of security attention you’d give to any other critical system.

Original Source: www.rescana.com