Security · June 17, 2026 · 2 min read

ShapedPlugin Pro updates carried a backdoor

Attackers slipped a backdoor into ShapedPlugin Pro plugin updates sent through the official licensed channel.

Reading

WPWithin

If you use a paid ShapedPlugin plugin, act now. Attackers pushed a backdoored update through the vendor’s own licensed update system, so a normal trusted update could have infected your site.

Backdoored updates hit ShapedPlugin Pro plugins

Attackers broke into ShapedPlugin’s build and distribution pipeline and inserted backdoor code into Pro plugin releases, according to Wordfence. A backdoor is hidden access that lets an attacker control a site after installation. This was a supply chain attack, which means the malicious code came through a vendor you trusted, not from a fake download page.

This report affects sites that run ShapedPlugin Pro plugins and installed updates through the company’s official licensed update channel before the vendor contained the issue. Wordfence says the backdoored code appeared in paid releases sent through official channels. The report does not say that the free WordPress.org versions carried the same backdoor. If you only use ShapedPlugin free plugins from WordPress.org, this specific warning does not name you.

Treat any site with a recent ShapedPlugin Pro update as potentially compromised, scan it now, and contact ShapedPlugin for a verified clean copy and cleanup steps before you install another update.

End of article

Weekend Within · Free

If you found this useful, subscribe free.

The Weekend Within roundup ships every weekend. Six minutes. The WordPress news that matters, translated out of developer-speak. Unsubscribe any time.

↓ Read next

Check for rogue admins if you use OptinMonster, TrustPulse, or PushEngage

Security · 3 min