ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack

Multiple WordPress plugins developed by ShapedPlugin were compromised in a sophisticated supply chain attack, with threat actors successfully tampering with the vendor's official build and distribution pipeline to inject malicious backdoor code into Pro plugin releases.

What Happened

Attackers managed to gain access to ShapedPlugin's release infrastructure, compromising the pipeline used to build and distribute premium WordPress plugins. The malicious code was embedded into legitimate plugin packages and pushed through official channels, meaning site administrators who updated their plugins through normal WordPress mechanisms received the backdoored versions.

The injected backdoor code gave attackers a persistent foothold on WordPress installations running the compromised plugins, potentially enabling remote code execution, credential harvesting, and unauthorized access to site content and databases.

Affected Plugins

ShapedPlugin produces a range of popular WordPress plugins including WP Carousel Pro, WP Tabs Pro, Logo Carousel Pro, and other premium extensions used across thousands of WordPress installations globally. The supply chain compromise affected Pro (paid) versions distributed outside of the official WordPress.org repository, which typically lack the same automated security scanning applied to free plugins.

Why This Matters

Supply chain attacks targeting WordPress plugin vendors represent an increasingly common vector for mass compromise. Unlike direct site attacks, targeting the build pipeline allows attackers to simultaneously compromise every installation that applies a seemingly legitimate update.

The ShapedPlugin incident follows a pattern seen in similar attacks:

• Vendor credential compromise — attackers typically gain access via phishing, stolen API tokens, or compromised CI/CD credentials
• Code injection at build time — malicious payloads are inserted before packaging, making detection harder
• Trusted update channels — victims receive backdoored code through channels they trust, reducing suspicion

Immediate Recommendations

WordPress site administrators running ShapedPlugin Pro products should take the following steps immediately:

1. Audit installed plugin versions against the vendor's official changelog and integrity checksums
2. Disable affected plugins until clean versions are confirmed available
3. Scan for indicators of compromise — look for unexpected file modifications, new admin accounts, or unusual outbound connections
4. Review server logs for anomalous activity in the timeframe the compromised versions were installed
5. Update credentials — rotate WordPress admin passwords, database credentials, and any API keys stored in the site environment

Vendor Response

ShapedPlugin has been notified of the compromise and is working to release clean replacement versions of affected plugins. Site operators should monitor official ShapedPlugin communications for remediation guidance and verified clean release hashes.

Broader Context

This attack highlights the ongoing risk of third-party plugin ecosystems for WordPress, which powers approximately 43% of all websites. Premium plugin vendors operating outside the WordPress.org repository have fewer mandatory security controls, making their distribution pipelines attractive targets for supply chain attacks seeking broad reach with minimal effort.

Organizations should establish processes for verifying plugin integrity before deployment, including file hash verification and staged rollout procedures that allow anomaly detection before fleet-wide updates.