The free plugin was clean. The paid update is what backdoored these WordPress sites.

The security advice is the same everywhere: keep your plugins current, turn on auto-updates, do not run stale code. For roughly three months this spring, following that advice on a WordPress site is what installed a backdoor. The trusted update was the payload.

Between April and June 2026, paying customers of ShapedPlugin, a vendor whose free plugins run on more than 400,000 active WordPress sites, pulled licensed updates that quietly carried malware. The free editions on the official WordPress.org directory stayed clean. The premium downloads, the ones people paid for and trusted more, are the ones that shipped the backdoor. Security firm Wordfence confirmed the compromise on June 12, and the shape of it is not a plugin bug. It is a compromise of the machinery that builds and ships the plugins.

How did a licensed update become the attack?

The attackers did not find a flaw in the plugin code. They got into ShapedPlugin's build and distribution pipeline and added their code to the Pro releases on the way out the door, then let the vendor's own licensed update channel deliver it. According to Security Affairs, the tampering looks like an automated build-step injection rather than someone editing files by hand, which is why it sailed through to customers as a normal signed update.

Three Pro products are known to be affected:

• Product Slider Pro for WooCommerce, tracked as CVE-2026-49777 and rated a maximum CVSS 10.0, fixed in 3.5.4
• Real Testimonials Pro, with the malicious code present in 3.2.5
• Smart Post Show Pro, fixed in 4.0.2

The incident overall carries CVE-2026-10735 at CVSS 9.8. The Hacker News reports the bad updates went out through the vendor's Easy Digital Downloads store at account.shapedplugin.com, while the timeline points to a tight working window: forensic artifacts show several files rewritten inside a two-hour span on May 21, and an exfiltration domain refreshed on May 10. The free WordPress.org copies, which go through a public review and automated scanning before release, were never touched.

That contrast is the part worth sitting with. The repository everyone treats as the riskier, lowest-common-denominator channel held. The paid channel, where a license key and a checkout receipt buy an assumption of safety, is where the trust boundary actually broke. Paying for the Pro version put a site at higher risk than running the free one, because the soft target was the vendor's own pipeline, not the storefront.

What does the backdoor actually do?

The malware runs on every admin page load, pulls a second-stage payload from an attacker server, then deletes its own loader to frustrate forensics. It installs a hidden fake plugin that steals admin credentials, database secrets, mail-service keys, and the one-time-password seeds behind two-factor logins.

In more detail: the first-stage loader, a file named LicenseLoader.php, reaches out to 194.76.217.28 on a high port, reports the victim's domain, drops the real payload, and removes itself. The payload installs itself under an innocuous name, either woocommerce-subscription or woocommerce-notification, and hides that entry from the WordPress plugins list so an admin scrolling the dashboard sees nothing new. From there it exposes a REST endpoint for arbitrary file writes, bundles the Tiny File Manager and Adminer tools for point-and-click access to files and the database, ships a web shell that runs commands handed to it in a URL, and plants a hardcoded password-hash bypass so the attacker can log in as an administrator without knowing any real password.

What it collects is broad: the wp-config.php file, the list of administrator accounts, credentials from mail plugins, and about three months of WooCommerce order data. The detail that changes the cleanup math, though, is the theft of two-factor secrets. The malware specifically hunts for the time-based one-time-password seeds stored by multiple 2FA plugins and sends them, along with stolen logins, to a domain registered through AEZA Group, a host repeatedly tied to bulletproof infrastructure. Once a TOTP seed is copied, the attacker can generate that user's valid six-digit codes at will, on their own device, indefinitely.

Why a plugin-version scan will miss it

The instinct after a supply-chain story is to run a scanner, confirm every plugin is on a patched version, and move on. That will not find this. The fake plugin removes itself from the admin list, so a dashboard or version-inventory check shows a clean site while the implant sits in wp-content/plugins/. And because the loader deletes itself after running, the absence of LicenseLoader.php proves nothing: the dropped payload outlives it.

Detection has to move down a layer. Look on the filesystem for the implant directories by name, not in the plugin manager. Watch egress for connections to the known command server and DNS lookups for the exfiltration domain. And treat the update itself as suspect: compare the timestamps and hashes of your installed Pro files against the vendor's clean releases rather than assuming a licensed, signed download is authentic. A two-hour edit window buried inside a months-long distribution period is the kind of thing that only surfaces when you diff against a known-good baseline. We made a version of this point about an earlier WordPress infrastructure backdoor, the Awesome Motive CDN implant that only fired for logged-in admins: when the trusted delivery layer is the thing that is compromised, signature-on-version checks are looking in the wrong place.

This is the same trust failure that keeps showing up in different clothes. A connected app handed over Salesforce data nobody thought to revoke; JetBrains marketplace plugins quietly shipped key-stealing code. Each time, the breach rode in through a channel the defender had already decided to trust. ShapedPlugin is the WordPress version of that lesson.

What to do this week

Did a ShapedPlugin Pro plugin pull an update on your site at any point across this past spring? If so, treat the site as compromised until you have proven otherwise, and work in this order.

• Search wp-content/plugins/ for directories named woocommerce-subscription or woocommerce-notification that you did not install, and remove the implant. Do not rely on the plugins screen; it is built to hide.
• Update the affected Pro plugins to the fixed releases (3.5.4 for Product Slider Pro, 4.0.2 for Smart Post Show Pro) once you have confirmed they come from a clean source.
• Rotate everything the malware can read: all administrator passwords, the database credentials in wp-config.php, mail-service and API keys, and any secrets reused elsewhere.
• Revoke and re-enroll two-factor authentication for every user, not just admins. A password change does not help here. As long as a stolen TOTP seed is still valid, the attacker keeps a working second factor, so the account is not yours again until that seed is regenerated.

The order matters. On most WordPress sites a breach runbook ends at the password reset, and that is exactly the step that leaves the door open this time. Treat the auto-update reflex as a reminder, not a verdict: keeping plugins current is still right, but it protects you only when the channel delivering those updates is itself sound. Update integrity, not update recency, is the gap this attack walked through. Until WordPress vendors can attest that a given build came out of an uncompromised pipeline, the safest posture for a paid plugin is the same skepticism you would apply to any other code running with full access to your site.