saas · TheHackerNews
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack after threat actors tampered with the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases. The affected plugins include Product Slider Pro for WooCommerce (versions before 3.5.4), Real Testimonials Pro (version 3.2.5), and Smart Post Show Pro (versions before 4.0.2). The compromise targeted only Pro versions distributed through ShapedPlugin's Easy Digital Downloads infrastructure; free versions on WordPress.org remain unaffected. The injected loader fetches a remote payload that installs a hidden plugin capable of capturing plaintext credentials, 2FA codes, database credentials from wp-config.php, administrator accounts, mail plugin credentials, and WooCommerce order data. The malware establishes persistence via custom REST endpoints and web shells.
For SaaS platforms and healthcare providers relying on WordPress plugins for public-facing or internal systems, this incident highlights the risks of supply chain compromises in third-party dependencies—a key control area under SOC 2 Type II audits and NIST 800-171 assessments. Defense contractors and healthcare organizations should inventory WordPress plugin sources, validate that updates originate from official channels, and verify plugin integrity before deployment. Organizations running affected ShapedPlugin Pro versions should immediately reset all passwords, revoke 2FA secrets, audit administrator accounts for unauthorized additions, and review mail plugin configurations. An Omniware engagement can scope third-party vendor risk and plugin governance frameworks aligned with your compliance posture.
Source: The Hacker News - https://thehackernews.com/2026/06/shapedplugin-wordpress-pro-plugins.html
Source: TheHackerNews
All briefings