Description
Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability consists of malicious code inserted into several WordPress extensions—Product Slider for WooCommerce Pro, Real Testimonials Pro, and Smart‑Post‑Show‑Pro—when they were distributed via a compromised vendor update server. The embedded code acts as an unauthenticated backdoor, enabling attackers to deploy a second‑stage payload that can exfiltrate credentials and other sensitive data and ultimately grant full control of the compromised sites.

Affected Systems

The affected products are the professional versions of Smart‑Post‑Show‑Pro (4.0.2 or earlier), Real Testimonials Pro (3.2.5 or earlier), and Product Slider for WooCommerce Pro (3.5.3 or earlier) installed on WordPress sites. All three plugins are listed by the CNA as unknown vendors, and their update channel was compromised, delivering malicious code that runs as the site’s administrator.

Risk and Exploitability

The vulnerability is triggered when a user initiates a plugin update that pulls the compromised code from the update server; no credentials or other pre‑conditions are required. The backdoor executes as part of the normal update process. The EPSS score is < 1%, but the CVSS score of 7.5 indicates a high severity. The presence of an unauthenticated backdoor that can exfiltrate credentials and ultimately grant full site control suggests a high probability of exploitation. The CVE is not yet listed in the CISA KEV catalog, but the impact warrants immediate attention.

Generated by OpenCVE AI on June 24, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deactivate and remove any instances of the affected plugins from the WordPress installation.
  • Replace the plugins with verified, up‑to‑date releases obtained from a trusted repository or the official vendor website, ensuring that the update channel uses secure, authenticated connections.
  • Perform a comprehensive malware scan of the site to detect the backdoor payload and remove any findings.

Generated by OpenCVE AI on June 24, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Product List Widget For Woocommerce Project
Product List Widget For Woocommerce Project product List Widget For Woocommerce
Real Testimonials Pro
Real Testimonials Pro real Testimonials Pro
Smart Post Show Pro
Smart Post Show Pro smart Post Show Pro
Wordpress
Wordpress wordpress
Vendors & Products Product List Widget For Woocommerce Project
Product List Widget For Woocommerce Project product List Widget For Woocommerce
Real Testimonials Pro
Real Testimonials Pro real Testimonials Pro
Smart Post Show Pro
Smart Post Show Pro smart Post Show Pro
Wordpress
Wordpress wordpress

Wed, 24 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-613

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-613

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.
Title ShapedPlugin Multiple Pro Plugins - Backdoor via Compromised Vendor Update Server
References

Subscriptions

Product List Widget For Woocommerce Project Product List Widget For Woocommerce
Real Testimonials Pro Real Testimonials Pro
Smart Post Show Pro Smart Post Show Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-24T13:07:38.162Z

Reserved: 2026-06-03T12:46:26.728Z

Link: CVE-2026-10735

cve-icon Vulnrichment

Updated: 2026-06-24T13:07:32.279Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:30:06Z

Weaknesses

No weakness.