HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Supply Chain Attack Compromises ShapedPlugin Pro Updates, Injecting Credential‑Stealing Backdoors

Attackers breached ShapedPlugin’s build pipeline and added backdoors to three Pro WordPress plugins released between April and June 2026. Sites that installed these updates may have had credentials, 2FA secrets, and full site control stolen. The incident highlights the need for robust vendor‑risk controls and continuous evidence of third‑party code integrity for SOC 2 readiness.

LiveThreat™ Intelligence · 📅 June 23, 2026· 📰 securityaffairs.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

Supply Chain Attack Compromises ShapedPlugin Pro Updates, Injecting Credential‑Stealing Backdoors

What Happened — Attackers breached the build and distribution pipeline of ShapedPlugin, a popular WordPress plugin vendor, and inserted malicious code into three “Pro” plugin releases (Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro). Sites that installed or updated these plugins between April 2026 and June 2026 received a loader that fetched a second‑stage payload, stole credentials and 2FA secrets, and created a hidden backdoor for full site control.

Why It Matters for Compliance & Audit Readiness

  • This is a textbook supply‑chain compromise that defeats the “install updates from the vendor” control many SOC 2 programs rely on; continuous monitoring of third‑party code integrity is essential.
  • Demonstrating due‑diligence over vendor‑risk management (vendor assessments, contract clauses, and ongoing evidence collection) satisfies SOC 2 CC6.1 (Vendor Management) and CC7.1 (System Operations).
  • Mapping the incident to your vendor‑risk controls provides audit‑ready evidence that you have a process for detecting and responding to third‑party breaches.

Who Is Affected — WordPress and WooCommerce site owners across SaaS, e‑commerce, media, and small‑to‑medium business sectors; roughly 400 k active free‑plugin installations and an unknown number of paid‑plugin customers.

Recommended Actions

  • Treat ShapedPlugin as a high‑risk vendor: update your vendor‑risk register, verify the vendor’s remediation plan, and require evidence of secure build pipelines.
  • Deploy file‑integrity monitoring on your WordPress servers (e.g., hash checks of plugin files) and enable logging of unexpected REST API calls.
  • Rotate all compromised credentials and enforce MFA reset for any accounts that may have been exposed.

Source: Security Affairs

Technical Notes

  • Attack vector: compromise of the vendor’s build pipeline (third‑party dependency).
  • Loader file LicenseLoader.php pulls a payload from an attacker‑controlled server, installs a fake plugin, reports the victim domain, then self‑deletes.
  • Payload registers a hidden REST API endpoint that permits arbitrary file writes and bundles tools such as Tiny File Manager and Adminer for post‑exploitation.

Source: Security Affairs

📰 Original Source
https://securityaffairs.com/194059/hacking/shapedplugin-supply-chain-attack-backdoors-pro-plugin-updates.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →