CVE-2026-10735

ShapedPlugin Multiple Pro Plugins - Backdoor via Compromised Vendor Update Server

Assigner: WPScan
Reserved: 03.06.2026 Published: 24.06.2026 Updated: 24.06.2026

Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.

Product Status

Vendor	Unknown
Product	smart-post-show-pro
Versions	Default: unaffected affected from 4.0.1 to 4.0.2 (excl.)

Vendor

Unknown

Product

smart-post-show-pro

Versions

Default: unaffected

affected from 4.0.1 to 4.0.2 (excl.)

Vendor	Unknown
Product	Real Testimonials Pro
Versions	Default: unaffected affected from 3.2.4 to 3.2.5 (excl.)

Vendor

Unknown

Product

Real Testimonials Pro

Versions

Default: unaffected

affected from 3.2.4 to 3.2.5 (excl.)

Vendor	Unknown
Product	Product Slider for WooCommerce Pro
Versions	Default: unaffected affected from 3.5.2 to 3.5.3 (excl.)

Vendor

Unknown

Product

Product Slider for WooCommerce Pro

Versions

Default: unaffected

affected from 3.5.2 to 3.5.3 (excl.)

Credits

Mike Gozdiskowski finder
WPScan coordinator

References

Problem Types

CWE-912 Hidden Functionality CWE

CVE-2026-10735 PUBLISHED

ShapedPlugin Multiple Pro Plugins - Backdoor via Compromised Vendor Update Server

Product Status

Credits

References

Problem Types