WordPress Supply Chain Attack: ShapedPlugin Breach Steals 2FA Secrets

The Evolution of Evasion: Analyzing the ShapedPlugin Supply Chain Compromise

On June 16, 2026, the global WordPress ecosystem faced a sobering realization: the security boundary of multi-factor authentication (MFA) is only as secure as the infrastructure hosting its secrets. The Wordfence Threat Intelligence team disclosed a highly coordinated, critical-severity WordPress supply chain attack targeting ShapedPlugin, a popular plugin developer with over 400,000 active installations across its ecosystem. Unlike typical attacks that exploit individual site vulnerabilities, this campaign compromised the vendor’s commercial build-and-distribution pipeline itself. By injecting highly sophisticated, self-erasing backdoor code into the premium (“Pro”) versions of ShapedPlugin’s software, attackers turned the legitimate update mechanism—Easy Digital Downloads (EDD)—into a vector for mass exploitation.

This incident, tracked under CVE-2026-10735 with a near-perfect CVSS score of 9.8, represents an alarming paradigm shift in WordPress-focused cyber threats. The payload does not simply hijack administrator sessions; it actively harvests the underlying cryptographic secrets of Time-Based One-Time Password (TOTP) modules. Armed with both stolen administrator credentials and raw 2FA seeds, the threat actors can generate valid authentication tokens on demand, rendering traditional security barriers completely obsolete. This article provides a comprehensive forensic analysis of the attack mechanics, the operational lifecycle of the malware, and the critical defensive steps required to neutralize the threat.

Anatomy of a WordPress Supply Chain Attack: Compromising the Update Pipeline

The core danger of a modern WordPress supply chain attack lies in its subversion of established trust. System administrators are routinely taught to keep software updated to mitigate vulnerabilities. However, when an attacker compromises a vendor’s build or deployment server, those automated or manual updates become the direct delivery vehicle for malicious payloads. In the case of ShapedPlugin, the attackers bypassed the public WordPress.org repository—where free plugins are heavily scrutinized—and focused exclusively on the vendor’s proprietary, commercial infrastructure.

Using ShapedPlugin’s licensed Easy Digital Downloads update endpoints, the attackers successfully distributed backdoored packages to active subscribers. The primary delivery vectors were embedded inside specific Pro plugin versions released between April and June 2026, including:

• Real Testimonials Pro (v3.2.4 and v3.2.5)
• Product Slider Pro for WooCommerce (v3.5.2)
• Smart Post Show Pro (v4.0.1)

Because these commercial updates were signed, packaged, and distributed directly from the vendor’s official licensing infrastructure, they bypassed typical external validation controls, executing with full administrator privileges immediately upon installation.

How the Malware Operates: The Multi-Stage Infection Lifecycle

The technical execution of the ShapedPlugin exploit is a masterclass in modern defense evasion and persistence. Instead of deploying a noisy, monolithic web shell, the actors split their malware into distinct functional phases designed to minimize their filesystem footprint and bypass security scanners.

Stage 1: The Dropper and Self-Erasure (LicenseLoader.php)

When a site administrator applies the compromised Pro plugin update, the package extracts a malicious loader file located at src/Includes/LicenseLoader.php. WordPress is built on an event-driven framework where plugin files are loaded sequentially into memory. The loader is structured to run silently on every administrative backend page load. Once triggered, LicenseLoader.php executes the following actions:

1. It initiates an outbound HTTPS request to the attackers’ primary command-and-control (C2) IP address: 194.76.217.28:2871.
2. It downloads a heavily obfuscated secondary ZIP archive containing the true payload.
3. It programmatically extracts and installs this archive into the local directory as a fake plugin.
4. In a highly calculated move to evade post-incident forensics, LicenseLoader.php deletes itself from the filesystem immediately after confirming the successful deployment of the secondary payload. This self-erasure breaks the forensic link, making it appear as though the fake plugin materialized without an entry point.

Stage 2: The Pseudonymous WooCommerce-Subscription Plugin

To blend into highly complex e-commerce environments, the downloaded secondary payload registers itself as a WordPress plugin in the directory wp-content/plugins/woocommerce-subscription/. The choice of naming is a deliberate social-engineering tactic:

• The legitimate, highly popular subscription extension by WooCommerce is named in the plural: WooCommerce Subscriptions (directory: woocommerce-subscriptions).
• The malicious plugin is named in the singular: woocommerce-subscription.

To the untrained eye of an administrator reviewing the file structure via FTP or a hosting control panel, the directory appears completely benign. Furthermore, the malware utilizes WordPress hooks to intercept the active plugins list inside the WP Admin dashboard, dynamically filtering out its own entry. This ensures that the fake plugin remains invisible to administrative users browsing their installed modules.

Stage 3: Establishing Monitored Backdoors and Administrative Overrides

Once settled into the woocommerce-subscription folder, the payload writes a persistent file to wp-content/plugins/woocommerce-subscription/install-persistent.php. This component deploys a massive suite of offensive capabilities directly onto the host server:

• Tiny File Manager 2.6: A fully-featured web-based file management application, granting attackers full read, write, and execute permissions over the entire directory structure.
• Adminer 5.2.1: A lightweight database management tool that allows direct SQL execution, bypassing the native WordPress database wrapper classes.
• Custom REST API Endpoint: A hidden endpoint mapped to the native WordPress REST API that allows unauthenticated remote actors to trigger arbitrary file writes on the server.
• Hardcoded Authentication Bypass: A backdoor that checks incoming requests for specific headers or URL query parameters, allowing the attacker to automatically log in as any valid administrator without requiring a password.

The Cryptographic Threat: Bypassing 2FA via TOTP Seed Exfiltration

While the administrative backdoors are highly dangerous, the defining characteristic of this campaign is its specific, aggressive focus on defeating Multi-Factor Authentication. Historically, defenders have viewed 2FA (and specifically Time-Based One-Time Passwords) as an absolute defense against credential theft. If an attacker steals an admin’s password, the requirement of a dynamic, 6-digit token generated on a physical mobile device blocks unauthorized entry.

However, TOTP relies mathematically on a symmetric cryptographic secret—often called the TOTP seed. This seed is generated when a user first pairs their authenticator app (such as Google Authenticator or Authy) with the website via a QR code. The server stores this seed in its database, and the mobile device stores it locally. Every 30 seconds, both systems hash the seed with the current Unix epoch time to generate the identical 6-digit code.

The ShapedPlugin malware exploits a structural reality: if an attacker has administrative-level access to the database, they can read the raw, unencrypted TOTP seeds stored in user metadata tables. The fake plugin actively targets and queries metadata patterns associated with the market’s leading WordPress security plugins, specifically:

• WP 2FA
• Wordfence Login Security

Once the database query retrieves the active TOTP seed keys along with the corresponding administrator usernames and email addresses, the malware package structures this sensitive data and exfiltrates it to a dedicated malicious domain: generate.2faplugin.org. This domain was strategically registered to mimic legitimate MFA microservices, reducing the likelihood of it raising flags in egress network logs.

With the raw TOTP seed in their possession, the attackers no longer need to compromise the physical mobile device of the administrator. They can import the stolen seed into their own local TOTP generators, allowing them to calculate valid login tokens in real-time. Because the security system cannot differentiate between a code generated by the legitimate administrator and one generated by the attacker, the entire 2FA protocol is completely bypassed.

Actionable Remediation and E-Commerce Defense Strategy

Because of the silent, self-erasing nature of the initial infection vector, any organization running ShapedPlugin Pro extensions within the affected date range must treat their environments as actively compromised. Simply applying the clean vendor patches (such as Product Slider Pro for WooCommerce v3.5.4 or Smart Post Show Pro v4.0.2) is insufficient to secure the server, as the secondary backdoor payloads will remain undisturbed.

Administrators must execute a meticulous, multi-step incident response checklist to guarantee complete eradication:

1. Identify and Purge Fake Plugins and Files

Inspect your server’s file system directly via SSH or secure hosting control panels. Do not rely on the WordPress admin dashboard. Scan for the existence of the following directories and files:

• wp-content/plugins/woocommerce-subscription/
• wp-content/plugins/woocommerce-subscription/install-persistent.php
• Any residual occurrences of LicenseLoader.php within ShapedPlugin directories.

If found, delete the entire woocommerce-subscription directory immediately.

2. Invalidate and Regenerate All Cryptographic Keys

Because the attackers likely exfiltrated your TOTP seeds, your 2FA system is fundamentally broken. Password resets alone are useless because the attacker can still generate valid MFA tokens. You must:

• Force a global reset of all user passwords.
• Directly purge the 2FA configurations within your security plugin settings, forcing every administrator to delete their existing authenticator app profiles and scan a newly generated QR code. This generates a completely new, secure TOTP seed in the database.
• Rotate the WordPress database salts (defined in wp-config.php) to invalidate all existing session cookies, forcing a clean re-authentication across all active users.

3. Implement File Integrity Monitoring and Database Auditing

To defend against future supply chain threats, transition from reactive scanning to proactive runtime protection. Deploy file integrity monitoring (FIM) tools that immediately alert administrators when files are written or modified within the wp-content/plugins/ directory outside of authorized maintenance windows. Additionally, configure database auditing to flag unusual read operations on the usermeta tables, specifically looking for bulk read queries executing outside of normal application flows.

Ultimately, the ShapedPlugin compromise serves as a stark warning: as defensive controls like MFA become universally adopted, adversaries will naturally pivot to attacking the trusted pipelines that manage their underlying cryptography. Maintaining a zero-trust approach to third-party vendor updates is no longer optional; it is the cornerstone of modern enterprise web application security.