ShapedPlugin Pro update-channel compromise

Confirmed
Discovered Jun 16, 2026

Defender-focused assessment of ShapedPlugin Pro plugins.

3
Affected Packages
16
Observables
1
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Current dossier state
needs review
Last verified
Not yet independently verified
Am I affected?
real-testimonials-pro, product-slider-pro, smart-post-pro
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
Observed fact
Direct-source and cited evidence only.
Informed inference
Analysis is labelled where evidence is indirect.
Unknown
Unverified scope remains explicitly open.
generate[.]2faplugin[.]org
194[.]76[.]217[.]28
src/Includes/LicenseLoader[.]php
wp-content/plugins/woocommerce-subscription/
0e17c869d3e4586d4c160041042bd15123c2a37117a98a995fae885f0f4417fc

Analysis

Executive Summary

Wordfence reported that attackers compromised ShapedPlugin’s build and distribution pipeline and injected a backdoor into Pro plugin releases delivered through the official licensed update channel. Confirmed scope included Real Testimonials Pro 3.2.5, Product Slider Pro before 3.5.4, and Smart Post Pro before 4.0.2. The loader contacted 194.76.217.28:2871, installed a disguised plugin, and the payload stole credentials and two-factor secrets to generate.2faplugin.org while establishing multiple persistence paths. [1]

The public evidence supports a high-confidence incident, but does not support filling every missing artifact, actor, victim, or infrastructure field. Unknown values below remain explicit. [1]

Key Facts

Analysis table
FactValue
Affected artifactShapedPlugin Pro plugins
Ecosystemwordpress
Malicious versions/referencereal-testimonials-pro 3.2.5, product-slider-pro <3.5.4, smart-post-pro <4.0.2
Disclosure2026-06-16
Immediate actionPreserve evidence, disable the affected path, revoke exposed identities, and audit downstream use

Evidence Assessment

Analysis table
AssessmentClaim
ConfirmedWordfence reported that attackers compromised ShapedPlugin’s build and distribution pipeline and injected a backdoor into Pro plugin releases delivered through the official licensed update channel. Confirmed scope included Real Testimonials Pro 3.2.5, Product Slider Pro before 3.5.4, and Smart Post Pro before 4.0.2. The loader contacted 194.76.217.28:2871, installed a disguised plugin, and the payload stole credentials and two-factor secrets to generate.2faplugin.org while establishing multiple persistence paths. [1]
UnclearExact full victim scope, complete exposure window, and any indicators not listed in iocs.json.
Not observedNo additional attacker infrastructure is asserted beyond the source-backed values.

Impact Determination

Analysis table
ClassificationCriteriaRequired actionClosure gate
Confirmed compromiseMatching deployment/artifact plus unauthorized downstream activityIsolate, preserve, revoke, investigateNo persistence or unauthorized follow-on activity; affected identities rotated
ExposedMatching vendor/update/browser path without confirmed executionCollect deployment and access historyComplete inventory and negative evidence review
Not observedVerified clean deployment outside the evidenced window/pathDocument evidenceIndependent validation recorded

Minimum Evidence To Collect

  • Collect deployment/update and administrative audit logs from the affected control plane; they establish who changed or delivered the artifact.
  • Collect endpoint, application, proxy, and identity-provider telemetry from affected systems; they resolve execution and downstream access.
  • Preserve suspect files, bundles, caches, and configuration with hashes and UTC timestamps before remediation.
  • Record credential and session revocation evidence because exposed tokens or user signing context may remain useful after containment.

Timeline

  • 2026-06-16: Public source disclosure or reporting. [1]
  • Other exact timestamps not stated in the supplied sources remain unknown; incident teams should build a UTC timeline from their own logs.

What Happened

Wordfence reported that attackers compromised ShapedPlugin’s build and distribution pipeline and injected a backdoor into Pro plugin releases delivered through the official licensed update channel. Confirmed scope included Real Testimonials Pro 3.2.5, Product Slider Pro before 3.5.4, and Smart Post Pro before 4.0.2. The loader contacted 194.76.217.28:2871, installed a disguised plugin, and the payload stole credentials and two-factor secrets to generate.2faplugin.org while establishing multiple persistence paths. [1]

Initial Access and Execution Trigger

Treat the vendor, deployment, update, or RMM control plane as an exposure boundary. Collect administrative audit logs, credential/token use, package or deployment history, target host inventories, and downstream access records; distinguish legitimate tool use from unauthorized deployment. [1]

Payload Behavior, Credentials, and Data

The source-backed impact is limited to the facts stated above. The machine-readable profile does not add unsupported malware infrastructure or hashes. [1]

Defense Evasion, Exfiltration, and Command and Control

Use only the source-backed selectors in iocs.json. Where those arrays are empty, hunt from deployment, identity, browser, and host telemetry instead of treating vendor or reporting domains as attacker infrastructure.

Affected Assets and Blast Radius

Prioritize systems that consumed ShapedPlugin Pro plugins, their administrative identities, and connected downstream data or funds. Scope should be evidence-driven rather than assuming every customer was compromised.

Indicators of Compromise

See iocs.json. Confirmed selectors include: ShapedPlugin, Real Testimonials Pro 3.2.5, Product Slider Pro before 3.5.4, Smart Post Pro before 4.0.2, LicenseLoader.php, wp-content/plugins/woocommerce-subscription/, /wp-json/wc/v3/settings/apply, generate.2faplugin.org, 194.76.217.28:2871. Empty IOC categories are intentionally omitted from this prose.

Detection and Hunting

Run scripts/hunt_shapedplugin-pro-update-channel-compromise.py opens in a new tab against exported CSV, JSON, JSONL, text, log, YAML, XML, JavaScript, or HAR evidence. It answers whether source-backed incident selectors occur in the collected scope. A match is a triage lead, not proof by itself; expected false positives include documentation and legitimate product references. Escalate by preserving the matched evidence, correlating deployment and identity timestamps, and reviewing downstream activity.

Downstream Abuse Audits

Review the identities at risk—WordPress passwords and TOTP seeds—for access after the earliest suspected exposure. Revoke active sessions/tokens first when continued misuse is plausible, then compare administrative, application, and transaction records to an approved baseline.

Remediation and Recovery Gates

  1. Preserve suspect artifacts, deployment metadata, logs, and UTC timestamps.
  2. Stop the affected integration, update, RMM, or browser delivery path.
  3. Isolate confirmed systems and disable compromised administrative identities.
  4. Revoke and rotate WordPress passwords and TOTP seeds.
  5. Remove malicious artifacts and persistence identified by evidence.
  6. Rebuild from independently verified artifacts when execution occurred.
  7. Audit downstream access and transactions for the full evidence-backed window.
  8. Restore only after clean deployment and cache/update validation.
  9. Close only when inventory is complete, tokens/sessions are invalidated, no persistence remains, and monitoring shows no follow-on activity.

Open Questions

  • What exact deployment, build, package, or vendor identity was altered?
  • What are the first and last confirmed exposure timestamps?
  • Which customers or systems have positive execution or downstream-abuse evidence?

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 16, 2026DiscoveryDiscovery recorded for ShapedPlugin Pro update-channel compromise.wordfence.com
Jun 16, 2026ShapedPlugin Pro update-channel compromiseUnknownwordfence.com
Jun 16, 2026First seenFirst seen recorded for ShapedPlugin Pro update-channel compromise.wordfence.com
Jun 16, 2026DisclosureDisclosure recorded for ShapedPlugin Pro update-channel compromise.wordfence.com

Affected Software

3 of 3 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
real-testimonials-prowordpress3.2.5Malicious90%wordfence.com
product-slider-prowordpress<3.5.4Malicious90%wordfence.com
smart-post-prowordpress<4.0.2Malicious90%wordfence.com

IOC Clipboard

16 IOCs
domaingenerate.2faplugin.org
ip194.76.217.28
file_pathsrc/Includes/LicenseLoader.php
file_pathwp-content/plugins/woocommerce-subscription/
hash0e17c869d3e4586d4c160041042bd15123c2a37117a98a995fae885f0f4417fc
commandShapedPlugin
commandReal Testimonials Pro 3.2.5
commandProduct Slider Pro before 3.5.4
commandSmart Post Pro before 4.0.2
commandLicenseLoader.php
commandwp-content/plugins/woocommerce-subscription/
command/wp-json/wc/v3/settings/apply
commandgenerate.2faplugin.org
command194.76.217.28:2871
network_patterngenerate.2faplugin.org
network_pattern194.76.217.28

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
ShapedPlugin Pro update-channel compromise exported-evidence scopePythonDo collected exports contain source-backed incident selectors?scripts/hunt_shapedplugin-pro-update-channel-compromise.py opens in a new tabwordfence.com

Hunt Manifest: ShapedPlugin Pro update-channel compromise exported-evidence scope

Title
ShapedPlugin Pro update-channel compromise exported-evidence scope
Question
Do collected exports contain source-backed incident selectors?
Telemetry Family
Python
Repository
scripts/hunt_shapedplugin-pro-update-channel-compromise.py
Show tested hunting scriptscripts/hunt_shapedplugin-pro-update-channel-compromise.py
scripts/hunt_shapedplugin-pro-update-channel-compromise.py opens in a new tabPython
#!/usr/bin/env python3
"""Offline incident-specific selector hunt for shapedplugin-pro-update-channel-compromise."""
import json, os, sys
from pathlib import Path
SELECTORS=['ShapedPlugin', 'Real Testimonials Pro 3.2.5', 'Product Slider Pro before 3.5.4', 'Smart Post Pro before 4.0.2', 'LicenseLoader.php', 'wp-content/plugins/woocommerce-subscription/', '/wp-json/wc/v3/settings/apply', 'generate.2faplugin.org', '194.76.217.28:2871']
TEXT_SUFFIXES={'.csv','.json','.jsonl','.txt','.log','.yaml','.yml','.xml','.js','.map','.har','.php','.ini','.conf'}
def scan(root):
 matches=[]
 paths=[root] if root.is_file() else root.rglob('*')
 for p in paths:
  if p.is_file() and (not p.suffix or p.suffix.lower() in TEXT_SUFFIXES):
   try:
    text=p.read_text(errors='ignore').lower()
   except OSError:
    continue
   hits=sorted(s for s in SELECTORS if s.lower() in text)
   if hits: matches.append({'path':str(p),'hits':hits})
 return matches
def main():
 root=Path(sys.argv[1] if len(sys.argv)>1 else '.'); matches=scan(root); report={'incident':'shapedplugin-pro-update-channel-compromise','match_count':len(matches),'matches':matches}
 out=Path(os.environ.get('OUT','hp-shapedplugin-pro-update-channel-compromise-hunt')); out.mkdir(parents=True,exist_ok=True); target=out/'report.json'; target.write_text(json.dumps(report,indent=2)); print(json.dumps({'match_count':len(matches),'report':str(target)})); return 2 if matches else 0
if __name__=='__main__': raise SystemExit(main())

Provenance & Sources

1 of 1 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
wordfence.comSecurity Researcher95%1Defender-focused assessment of ShapedPlugin Pro plugins.