—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Shaped Plugin Products

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Product Slider Pro for WooCommerce versions prior to 3.5.4

Smart Post Show Pro versions prior to 4.0.2

Real Testimonials Pro version 3.2.5

Overview

Multiple vulnerabilities have been reported in ShapedPlugin products which could allow an unauthenticated attacker to gain unauthorized access to the targeted system and grants full control of affected sites.

Target Audience:

All organizations and individuals using Shaped Plugin products.

Risk Assessment:

High risk of unauthorized access.

Impact Assessment:

Unauthorized data access and data exfiltration and compromise its confidentiality, integrity, and availability.

Description

Shaped Plugin develops WordPress and WooCommerce plugins that enhance website functionality, content presentation, product showcases, testimonials, and overall user experience.

Multiple vulnerabilities exist in Shaped Plugin products due to an Improper Validation of Specified Quantity in Input vulnerability in Product Slider Pro for WooCommerce, which could allow the implantation of malicious software. An unauthenticated attacker could exploit these vulnerabilities by distributing compromised plugin updates containing malicious code through trusted update mechanisms.

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to gain unauthorized access and deployment of a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.

Solution

Apply appropriate updates as mentioned as mentioned by the Vendor:

https://www.wordfence.com/blog/2026/06/psa-supply-chain-compromise-targets-shapedplugin-backdoored-pro-plugins-distributed-via-official-channels/

Vendor Information

Shaped Plugin

https://shapedplugin.com/blog/

References

 

https://www.wordfence.com/blog/2026/06/psa-supply-chain-compromise-targets-shapedplugin-backdoored-pro-plugins-distributed-via-official-channels/

CVE Name

CVE-2026-10736

CVE-2026-49777

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmo77QoACgkQ3jCgcSdc

ys8YsQ//aUyt92ePqf9N/co06YE7Bea5czNy6e4zNrVHhcb5EOOCEXZt5lLYImiR

icXKY4P9KnwMdMMftCOKOWKeteUjpCSttDm/U8AnZmxi8MX7y2uKs7HhVKM2lRRW

FPNiL6T9HhopALtErspIeDajlGzhoMm4QP9nAQtxeH7sqDD0mQsOLnYCTsjA4mfM

+rnfPUUTbYYh1QFjyHngaDMUILu5F2kXa+/9NChgkgPDhtJQIiM8xbCv0z6K0Nhg

ktQ50aPJiUCAKbfOwdmlNca78F5FebkWYtRflByEwTyiwIj/VUSJkVj8nHYlTuL/

VpxG6kSC2Kpi0sfAWkI26NGbOgFjjbR7J+nqn1Wv5oXYW+3a3S3I9JWucpvIMsZC

MAp08z8wF6C875DLugcYXJHwTkdEQ4V/k1P0lAKu2LIPCki052iPVSpJ625au5wp

ZyrxJ+EF6sMjCxDuIOx77/pKDoDD04uSiUJbWDUi94wmQNI5UG5bvjON/p1lovSo

L149PkiEOjFW9wda2AQXeRe2msGvoR8iZHjrL8EQvL5VvevGjppBnJD8Ugs7FtsV

WVEmZpMslZC0WoClQSiWO8FmZJsKXAoSblkAY4sb/8Xyf9dqtDWLBjuEUTzapSkd

RFQCW3F5scTZX0k/91m1eWzutPk1TcK/hYGQD7ndZYy1HIcg5dA=

=L3E9

—–END PGP SIGNATURE—–