A trusted update button just became a liability for thousands of WordPress site owners. ShapedPlugin, a vendor known for popular front-end and content display tools, confirmed that its official update system delivered backdoored software directly to paying customers. The company’s free plugins alone power more than 400,000 active websites. Which gives a sense of how wide ShapedPlugin’s reach extends across the WordPress ecosystem.
Security researchers at Wordfence first flagged the issue after customers reported strange behavior following routine plugin updates. What they found was not a one-off bad file. It was a compromise sitting inside ShapedPlugin’s own build pipeline, the system responsible for packaging and releasing software updates to customers.
How the ShapedPlugin Attack Unfolded
The timeline tells a story of an attack that sat undetected for weeks. Wordfence data shows the backdoor was injected into ShapedPlugin’s Pro builds on May 21. Customers did not start noticing problems until June 10, nearly three weeks later.
Researchers confirmed the breach on June 12 by downloading infected plugins directly from the ShapedPlugin website. ShapedPlugin publicly acknowledged the incident on June 16, telling Wordfence that its team had already started an investigation and put mitigation steps in place.
Three paid products were affected:
- Product Slider Pro for WooCommerce, versions before 3.5.4
- Real Testimonials Pro, version 3.2.5
- Smart Post Show Pro, versions before 4.0.2
Free versions hosted on the official WordPress.org repository stayed clean throughout the incident. That detail matters, because it points investigators toward where the breach actually happened.
What the Malware Does Once Installed
The infection method is quietly effective. A malicious file named LicenseLoader.php sits dormant inside the compromised plugin until a site administrator logs into the WordPress dashboard. Once that happens, the loader contacts a command-and-control server controlled by the attackers.
From there, the loader downloads a second-stage payload and installs it as a fake plugin. It disguises itself with names like woocommerce-subscription or woocommerce-notification, so it blends in with legitimate WooCommerce components. The fake plugin also hides itself from the WordPress plugin list, which means a site owner scrolling through their installed plugins would not spot anything unusual.
After reporting back to its operators, the original loader deletes itself. This step erases much of the evidence that would normally help an administrator realize their site had been compromised.
Data at Risk
The fake plugin is built to harvest a wide range of sensitive information. Wordfence’s analysis lists several categories of stolen data, including:
- WordPress login credentials, covering usernames, passwords, session cookies, user roles, IP addresses, and browser details
- Two-factor authentication secrets pulled from popular WordPress security plugins
- Database credentials and authentication keys lifted from the wp-config.php file
- Administrator account details
- SMTP and email service credentials
- WooCommerce order data from the past three months, including payment method information
That last point is especially concerning for any online store running the affected plugins, because payment-related data sitting on a compromised site creates real financial exposure for both the business and its customers.
Why This Points to a Build Pipeline Compromise
Wordfence researchers believe attackers gained direct access to ShapedPlugin’s release infrastructure rather than simply stealing a download link or hijacking a single file. Their reasoning rests on file modification patterns, timestamps that suggest automated injection rather than manual tampering, and Git build references found inside the compromised packages.
This distinction matters because it changes how the industry should think about plugin security. A stolen credential or a hijacked CDN account is bad, but a compromised build pipeline means the attacker had a foothold deep enough to tamper with software before it ever reached customers. The ShapedPlugin incident follows a similar case involving OptinMonster, another widely used WordPress product, which was breached through a compromised content delivery network account. Together, these incidents suggest plugin supply chains have become a consistent target for attackers looking for high-impact access at scale.
What Site Owners Should Do Now
ShapedPlugin has released patched versions for all three affected products: Product Slider Pro 3.5.4, Smart Post Show Pro 4.0.2, and Real Testimonials Pro 3.2.6. Updating immediately closes the door the attackers used, but it does not undo any damage already done if a site was infected.
Site administrators who installed any of the affected versions should take a few concrete steps. First, check for the presence of fake plugins named woocommerce-subscription or woocommerce-notification, since these will not appear in the standard plugin list and may require a direct file system or database check. Second, reset all passwords associated with the site, including admin, FTP, and database credentials. Third, regenerate two-factor authentication secrets, because the original ones may already be in attacker hands.
Reviewing the list of user accounts on the site is also worth doing, since attackers with this level of access could add rogue administrator accounts as a backup entry point.
Final Thoughts
The ShapedPlugin incident is a reminder that keeping software updated, normally the single best piece of security advice anyone can give, is not a guarantee of safety when the update source itself gets compromised. For WordPress site owners, especially those running WooCommerce stores, this case is a useful prompt to review installed plugins, confirm update sources, and treat sudden vendor security disclosures as a signal to check their own environment rather than something that only happens to other people. Anyone who values their site’s security and their customers’ data should treat plugin supply chains as part of their attack surface, not just a convenience feature.