What Happened

On or around June 18, 2026, the update mechanism for the popular ShapedPlugin family of WordPress plugins was compromised in a supply-chain attack. Threat actors gained access to the vendor’s update infrastructure, injecting malicious code into plugin updates distributed through the standard WordPress update flow. This marks the third major WordPress ecosystem supply-chain incident this period, following similar compromises of UpdraftPlus and OptinMonster update channels.

The ShapedPlugin suite includes widely deployed tools — most notably Real Testimonials, Logo Carousel, Post Slider, and WP Tabs — collectively active on over 200,000 WordPress sites. The compromised update mechanism meant that sites with auto-updates enabled received the tainted code silently, without any user interaction required. The malicious payload was designed to create an administrative backdoor, exfiltrate database credentials, and inject SEO spam into affected sites.

Vendor confirmation and a formal patch release are still pending as of this advisory. Site owners should take immediate defensive action.

Impact

• Backdoor Access: The injected code created a hidden administrator account with the username wp_support_sys, granting attackers persistent privileged access.
• Credential Exfiltration: Database credentials (DB_NAME, DB_USER, DB_PASSWORD, DB_HOST) and wp-config.php salts were exfiltrated to a command-and-control server at cdn-stats-api[.]com.
• SEO Spam Injection: Invisible spam links and doorway pages were injected into site footers for black-hat SEO campaigns.
• Silent Propagation: Because the compromise occurred at the update-server level, any site running a ShapedPlugin product with auto-updates enabled was susceptible — no victim action beyond having auto-updates turned on was necessary.
• Persistence: The backdoor account and injected files survived standard plugin deactivation and removal, requiring manual remediation.

Indicators of Compromise

• Presence of an unexpected administrator account named wp_support_sys in the WordPress users table.
• Outbound network connections to cdn-stats-api[.]com or any subdomain thereof.
• Unexpected files in /wp-content/plugins/ with names resembling class-wp-cache-manager.php, init-core-helper.php, or wp-db-update.php — particularly those with recent modification timestamps.
• Modified .htaccess files containing encoded RewriteRule directives pointing to external domains.
• Unexpected entries in wp_options table with option_name values starting with _wp_sp_ or _tmp_sp.
• Spam links appearing in site footers referencing pharmaceutical, gambling, or counterfeit-goods domains.
• Repeated failed login attempts for non-existent usernames followed by successful logins for wp_support_sys in access logs.

Fix

1. Verify Plugin Integrity: Immediately compare all installed ShapedPlugin files against clean versions from a known-good backup or from a trusted mirror predating June 15, 2026. Replace any modified or unrecognized files.
2. Disable Auto-Updates: Disable automatic plugin updates for all ShapedPlugin products pending explicit, verifiable confirmation from the vendor that the update infrastructure has been secured. This can be done via wp-config.php (define('AUTOMATIC_UPDATER_DISABLED', true);) or by using the auto_update_plugin filter.
3. Remove Backdoor Account: Delete the wp_support_sys user and any other unrecognized administrator accounts from the WordPress dashboard or via wp user delete.
4. Audit the Entire Site: Perform a full file-integrity audit against a known-good backup. Check all recently modified files (find /path/to/site -mtime -7 -type f), inspect .htaccess for encoded redirects, and review the wp_options table for suspicious entries.
5. Rotate Credentials: Change all WordPress database credentials, salts, and hosting account passwords. Regenerate wp-config.php salts using the WordPress salt generator.
6. Scan for Residual Malware: Run a server-side malware scanner (e.g., ClamAV, Wordfence CLI, or Sucuri SiteCheck) to identify any lingering payloads.
7. Monitor for Vendor Patch: Subscribe to ShapedPlugin’s official channels for confirmation that a clean, verified update is available. Do not re-enable updates until this confirmation is received.

Recommendations

• Implement Update Integrity Verification: Where possible, use checksum-verification plugins or deploy updates from a staging environment only after manual review. Consider adopting a Web Application Firewall (WAF) that can detect and block unauthorized outbound connections.
• Adopt Least-Privilege Principles: Run plugins with the minimum necessary file-system permissions. Restrict writable directories to only those that require them.
• Network Monitoring: Implement egress filtering and monitor outbound connections from your web server. Block known-malicious IPs and domains, including cdn-stats-api[.]com, at the firewall level.
• Regular Backups: Maintain offline, immutable backups with at least a 30-day retention window to enable rapid restoration in the event of a supply-chain compromise.
• Vendor Due Diligence: This is the third WordPress plugin supply-chain incident in a short window. Evaluate the update infrastructure and security posture of all third-party plugins in your stack. Consider reducing reliance on auto-updates from smaller vendors lacking mature security programs.

References

• BleepingComputer — ShapedPlugin Supply-Chain Attack Coverage

This advisory will be updated as more information becomes available from the vendor and security researchers. Last updated: June 19, 2026.