ShapedPlugin Multiple Pro Plugins - Backdoor via Compromised Vendor Update Server
Summary
| CVE | CVE-2026-10735 |
|---|---|
| State | PUBLISHED |
| Assigner | WPScan |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 07:16:25 UTC |
| Updated | 2026-06-25 19:07:56 UTC |
| Description | Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS: 0.003870000 probability, percentile 0.305590000 (date 2026-06-29)
Problem Types: CWE-912 Hidden Functionality
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Unknown | Smart-post-show-pro | affected 4.0.1 4.0.2 semver | Not specified |
| CNA | Unknown | Real Testimonials Pro | affected 3.2.4 3.2.5 semver | Not specified |
| CNA | Unknown | Product Slider For WooCommerce Pro | affected 3.5.2 3.5.3 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| wpscan.com/vulnerability/160ee7f7-91b6-4cce-9462-837130621402 | [email protected] | wpscan.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Mike Gozdiskowski (en)
CNA: WPScan (en)
There are currently no legacy QID mappings associated with this CVE.