Impact
The vulnerability consists of malicious code inserted into several WordPress extensions—Product Slider for WooCommerce Pro, Real Testimonials Pro, and Smart‑Post‑Show‑Pro—when they were distributed via a compromised vendor update server. The embedded code acts as an unauthenticated backdoor, enabling attackers to deploy a second‑stage payload that can exfiltrate credentials and other sensitive data and ultimately grant full control of the compromised sites.
Affected Systems
The affected products are the professional versions of Smart‑Post‑Show‑Pro (4.0.2 or earlier), Real Testimonials Pro (3.2.5 or earlier), and Product Slider for WooCommerce Pro (3.5.3 or earlier) installed on WordPress sites. All three plugins are listed by the CNA as unknown vendors, and their update channel was compromised, delivering malicious code that runs as the site’s administrator.
Risk and Exploitability
The vulnerability is triggered when a user initiates a plugin update that pulls the compromised code from the update server; no credentials or other pre‑conditions are required. The backdoor executes as part of the normal update process. The EPSS score is < 1%, but the CVSS score of 7.5 indicates a high severity. The presence of an unauthenticated backdoor that can exfiltrate credentials and ultimately grant full site control suggests a high probability of exploitation. The CVE is not yet listed in the CISA KEV catalog, but the impact warrants immediate attention.
OpenCVE Enrichment