CVE-2026-10735 Overview
CVE-2026-10735 is a supply chain compromise affecting three premium WordPress plugins distributed by Shapedsmart. The vendor's update server was compromised, allowing attackers to push malicious code to plugin users through legitimate update channels. Affected versions include smart-post-show-pro before 4.0.2, Real Testimonials Pro before 3.2.5, and Product Slider for WooCommerce Pro before 3.5.3. The injected code retrieves a second-stage payload that exfiltrates credentials and other sensitive data, granting unauthenticated attackers full control of affected sites.
Critical Impact
Unauthenticated attackers can exfiltrate credentials and seize full control of WordPress sites running the affected plugin versions.
Affected Products
- Shapedsmart smart-post-show-pro WordPress plugin before 4.0.2
- Shapedsmart Real Testimonials Pro WordPress plugin before 3.2.5
- Shapedsmart Product Slider for WooCommerce Pro WordPress plugin before 3.5.3
Discovery Timeline
- 2026-06-24 - CVE-2026-10735 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-10735
Vulnerability Analysis
CVE-2026-10735 is a software supply chain attack rather than a traditional code flaw. Shapedsmart's update infrastructure was compromised, and malicious code was bundled into legitimate plugin updates. Site administrators who installed or auto-updated to vulnerable versions unknowingly executed attacker-controlled code with full PHP privileges on their WordPress installations.
The injected code functions as a loader. Once active on a victim site, it contacts attacker infrastructure and retrieves a second-stage payload. That payload exfiltrates WordPress credentials, database secrets, API keys, and other sensitive data accessible to the PHP process. The attack requires no authentication or user interaction because the malicious code executes server-side on every page load.
Root Cause
The root cause is a compromise of the vendor's update distribution server. Trust relationships between WordPress sites and the plugin vendor were abused to deliver signed-looking updates containing hostile code. This is a trust-chain failure in the software supply chain rather than a memory or input validation defect.
Attack Vector
The attack vector is network-based and exploits the WordPress automatic update mechanism. Sites configured to auto-update plugins received the trojanized versions directly. Manually updated sites were also affected if administrators installed the compromised releases. After execution, the loader establishes outbound connections to attacker-controlled command and control endpoints to stage further activity.
No proof-of-concept code is required because the malicious functionality ships inside the plugin itself. See the WPScan Vulnerability Detail for indicators and technical specifics.
Detection Methods for CVE-2026-10735
Indicators of Compromise
- Presence of smart-post-show-pro versions earlier than 4.0.2, Real Testimonials Pro earlier than 3.2.5, or Product Slider for WooCommerce Pro earlier than 3.5.3 on a WordPress installation.
- Outbound HTTP/HTTPS requests from the web server PHP process to unfamiliar domains shortly after plugin update events.
- Unexpected PHP files or modifications under wp-content/plugins/ corresponding to the affected plugins.
- Newly created WordPress administrator accounts or modified wp-options entries following the time of plugin update.
Detection Strategies
- Inventory all WordPress installations and compare installed plugin versions against the known-malicious version ranges listed in the WPScan Vulnerability Detail.
- Hash plugin files on disk and compare against vendor-published checksums for the patched releases.
- Inspect web server outbound network logs for connections initiated by php-fpm or the web server user to non-standard external hosts.
Monitoring Recommendations
- Monitor file integrity on the wp-content/plugins/ directory and alert on modifications outside scheduled update windows.
- Log and review all plugin auto-update events centrally, correlating timestamps with outbound network anomalies.
- Audit WordPress user tables for unauthorized administrative account creation or role changes.
How to Mitigate CVE-2026-10735
Immediate Actions Required
- Update smart-post-show-pro to 4.0.2 or later, Real Testimonials Pro to 3.2.5 or later, and Product Slider for WooCommerce Pro to 3.5.3 or later.
- Rotate all WordPress administrator passwords, database credentials, API keys, and any secrets stored in wp-config.php on potentially affected sites.
- Review the WordPress users table and remove any unauthorized accounts or elevated roles introduced after the compromise window.
- Restore affected sites from a known-clean backup taken before the malicious plugin version was installed where feasible.
Patch Information
Shapedsmart has released fixed versions: smart-post-show-pro 4.0.2, Real Testimonials Pro 3.2.5, and Product Slider for WooCommerce Pro 3.5.3. These releases remove the malicious loader code. Refer to the WPScan Vulnerability Detail for confirmed remediation guidance.
Workarounds
- Deactivate and remove the affected plugins until they can be updated and the site can be validated as clean.
- Restrict outbound network traffic from the web server to a known allow-list to prevent loader staging from succeeding.
- Place the site behind a web application firewall and block known malicious indicators referenced by upstream advisories.
# Configuration example: identify affected plugin versions via WP-CLI
wp plugin get smart-post-show-pro --field=version
wp plugin get real-testimonials-pro --field=version
wp plugin get product-slider-for-woocommerce-pro --field=version
# Force update to patched versions
wp plugin update smart-post-show-pro --version=4.0.2
wp plugin update real-testimonials-pro --version=3.2.5
wp plugin update product-slider-for-woocommerce-pro --version=3.5.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

