ShapedPlugin Multiple Pro Plugins - Backdoor via Compromised Vendor Update Server
Summary
| CVE | CVE-2026-10735 |
|---|---|
| State | PUBLISHED |
| Assigner | WPScan |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 07:16:25 UTC |
| Updated | 2026-06-24 07:16:25 UTC |
| Description | Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites. |
Risk And Classification
Problem Types: CWE-912 Hidden Functionality
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Unknown | Smart-post-show-pro | affected 4.0.1 4.0.2 semver | Not specified |
| CNA | Unknown | Real Testimonials Pro | affected 3.2.4 3.2.5 semver | Not specified |
| CNA | Unknown | Product Slider For WooCommerce Pro | affected 3.5.2 3.5.3 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| wpscan.com/vulnerability/160ee7f7-91b6-4cce-9462-837130621402 | [email protected] | wpscan.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Mike Gozdiskowski (en)
CNA: WPScan (en)
There are currently no legacy QID mappings associated with this CVE.