CVE-2026-10735

Name of the Vulnerable Software and Affected Versions Product Slider Pro (affected versions not specified) Real Testimonials Pro (affected versions not specified) Smart Post Show Pro (affected versions not specified)

Description A supply chain compromise occurred where attackers infiltrated the build and distribution pipeline of ShapedPlugin, injecting a multi-stage backdoor into Pro WordPress plugin releases delivered via official licensed update channels. The attack involves a stage 1 loader in src/Includes/LicenseLoader.php that executes on admin init, communicates with a command-and-control server, and downloads a payload. The stage 2 payload is a fake plugin installed in wp-content/plugins/woocommerce-subscription/ that hides from the admin list using the all plugins filter. This payload includes Tiny File Manager 2.6, Adminer 5.2.1, a REST API backdoor at the endpoint '/wp-json/wc/v3/settings/apply', a URL parameter webshell, and a login bypass utilizing a hardcoded MD5 hash e268c35a06d85f672e70c9beecb4e5d1. Additionally, the malware exfiltrates TOTP (Time-based One-Time Password) seeds from various 2FA plugins to generate[.]2faplugin[.]org, allowing attackers to bypass multi-factor authentication even after password resets.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.