ShapedPlugin Build Pipeline Breach Injects Loaders into Paid Pro Plugins, CVE-2026-49777 CVSS 10.0
ShapedPlugin's paid plugin distribution was compromised at the build stage, delivering credential-stealing backdoors exclusively to licensed users. The attack highlights the asymmetric risk for small businesses that rely on vendor update channels without independent verification. Immediate credential rotation and pipeline audits are required.
Attackers inserted a loader into the vendor's official Pro builds that triggers on admin pages, pulls a fake plugin from the hardcoded IP, then deletes itself after establishing persistence via REST endpoints and install-persistent.php. The malware exfiltrates wp-config.php contents, admin accounts, WP Mail SMTP credentials, and the last three months of WooCommerce orders with payment breakdowns before self-erasing. Wordfence telemetry and CVE-2026-10735 confirm the compromise was limited to licensed EDD downloads; free WordPress.org versions show no tampering. This matches prior supply-chain patterns where build-system access, not package poisoning, allowed targeted delivery to paying customers running real revenue sites. Affected operators must rotate all passwords, regenerate 2FA, audit SMTP plugins, and scan for unauthorized REST routes. ShapedPlugin has not released indicators of compromise or a post-mortem timeline. Small-site operators using these plugins now face direct database and payment-data exposure without the visibility enterprise SOCs provide.
ShapedPlugin: Clean plugin releases published within 21 days or at least 12% of affected licensed sites retain active web shells per subsequent scans.
Sources (3)
- [1]Wordfence Supply Chain Analysis(https://www.wordfence.com/blog/2026/06/shapedplugin-plugins/)
- [2]CVE-2026-49777 Detail(https://nvd.nist.gov/vuln/detail/CVE-2026-49777)
- [3]ShapedPlugin Incident Notice(https://shapedplugin.com/security-notice-2026/)