Within the last 24 hours, a severe supply chain attack impacting WordPress users has been reported. Paid plugins from the popular plugin vendor 'ShapedPlugin' were targeted, and malicious code was confirmed to have been injected through legitimate update channels. This attack poses a risk of stealing site administrator credentials, database credentials, and even two-factor authentication (2FA) secret keys, requiring urgent action from WordPress site operators.
Vulnerability Overview and Scope of Impact
This supply chain attack was executed by compromising the legitimate build and distribution pipelines of several paid WordPress plugins offered by ShapedPlugin, specifically including Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. Attackers injected backdoor code into the update process, which then gets installed and activated on user sites as a 'fake WooCommerce plugin.' This malware is designed to steal administrator accounts, database credentials, 2FA credentials, `wp-config.php` data, and WooCommerce order details.
CVE-2026-49777 is identified as an 'improper validation of specified quantity in input' vulnerability in Product Slider Pro for WooCommerce, allowing the embedding of malicious software. It has a maximum severity CVSSv3 score of 10.0. Furthermore, CVE-2026-10735 has been assigned as the overall CVE identifier for this incident.
Specific Impacts and Attack Scenarios
The most dangerous aspect of this attack is that even site operators who purchased legitimate licenses and installed updates from the vendor's official update system were exposed to malware. The installed malware creates a hidden administrator account named `wp_support_sys`, granting persistent privileged access to the attackers. Furthermore, it sends database credentials (DB_NAME, DB_USER, DB_PASSWORD, DB_HOST) and `wp-config.php` salts to a command-and-control (C2) server (e.g., `cdn-stats-api.com` or `194.76.217.28:2871`). This allows attackers to gain complete control over the site, potentially leading to widespread damage, including the theft of sensitive information, data alteration, and even the injection of SEO spam.
Immediate Actions for Engineers
Engineers and administrators of affected sites must take immediate action.
1. **Update Plugins:** Update Product Slider Pro for WooCommerce to version 3.5.4 or later, Real Testimonials Pro to 3.2.6 or later, and Smart Post Show Pro to 4.0.2 or later. However, since some fixes might be released under the same version number, it is crucial to follow the vendor's instructions and ensure you are using a clean build.
2. **Reset Credentials:** Reset passwords for all WordPress users and disable and regenerate 2FA secrets.
3. **Check Administrator Accounts:** Review your WordPress dashboard for any unauthorized administrator accounts (e.g., `wp_support_sys`) and delete them if found.
4. **Audit File Integrity:** Perform a site-wide file integrity audit, comparing against a known good backup, to check for any traces of malware.
5. **Block with WAF/Firewall:** Strongly recommended to configure your Web Application Firewall (WAF) or server firewall to block outbound connections to known malicious C2 server IPs.
```nginx
# 既知のマルウェアC2サーバーへのアウトバウンド接続をブロックするNginx設定例
# この設定は、プロキシ設定などでアウトバウンドリクエストが発生する場合に有効です。
# 実際の環境に応じて調整してください。
# 例: shapedpluginマルウェアのC2サーバーIPをブロック
# 194.76.217.28 は報告されたIPの一例であり、他にも存在する可能性があります。
# 常に最新のIoC (Indicators of Compromise) に基づいてリストを更新してください。
location / {
# マルウェアC2サーバーへの接続を拒否
if ($remote_addr = "194.76.217.28") {
return 403;
}
# あるいは、特定のURIパターンへのアクセスをブロック(攻撃の状況による)
# if ($request_uri ~* "/wp-admin/admin-ajax.php\?action=malicious_payload") {
# return 403;
# }
# その他の通常の処理
try_files $uri $uri/ /index.php?$args;
}
# WordPressのwp-config.phpやwp-load.phpなど、
# 機密ファイルへの不審な直接アクセスを制限する(一般的なベストプラクティス)
location ~* /(wp-config\.php|wp-load\.php|license\.txt|readme\.html|changelog\.txt) {
deny all;
}
# .phpファイルへの直接アクセスを制限し、Wordpressのフロントコントローラーを強制
location ~* \.php$ {
# FastCGI設定など、実際のPHP処理設定をここに記述
include fastcgi_params;
fastcgi_pass unix:/run/php/php8.2-fpm.sock; # 環境に合わせて変更
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
# 特定のディレクトリからの実行のみ許可するなどの強化も検討
# if ($request_uri !~ "^/(wp-admin|wp-content/plugins/.*\.php|wp-includes/.*\.php)") {
# return 403;
# }
}
```