CVE-2026-10735

Name of the Vulnerable Software and Affected Versions Real Testimonials Pro (affected versions not specified) Product Slider Pro for WooCommerce (affected versions not specified) Smart Post Show Pro (affected versions not specified)

Description A supply chain compromise occurred where attackers infiltrated the build and distribution pipeline of ShapedPlugin. This allowed the injection of a multi-stage backdoor into Pro plugin releases distributed through official licensed update channels. Unauthenticated attackers can achieve full backdoor access to affected sites. The malware facilitates credential theft, database leaks, and the exfiltration of 2FA secrets (TOTP seeds) from plugins such as WP 2FA, Wordfence Login Security, Really Simple SSL, and Two-Factor, effectively bypassing multi-factor authentication.

Technical details include a stage 1 loader in src/Includes/LicenseLoader.php that executes on admin init and beacons to a command-and-control server. A stage 2 payload is dropped into wp-content/plugins/woocommerce-subscription/, which hides itself using the all plugins filter. This payload includes a REST API backdoor at the endpoint '/wp-json/wc/v3/settings/apply', a URL parameter webshell, and a login bypass utilizing a hardcoded MD5 hash e268c35a06d85f672e70c9beecb4e5d1.

Recommendations Update the affected plugins immediately to the latest patched versions. As a temporary mitigation, restrict access to the '/wp-json/wc/v3/settings/apply' endpoint and monitor the src/Includes/LicenseLoader.php file for unauthorized activity.