CVE-2026-10735 Shapedsmart CVE debrief

Who should care

Administrators and users of WordPress sites utilizing the affected plugins should prioritize updating to the latest, non-vulnerable versions. Additionally, site owners should monitor their sites for suspicious activity and implement security measures such as web application firewalls and regular backups.

Technical summary

The vulnerability stems from a supply-chain attack where the vendor's update server was compromised, allowing the distribution of malicious code through plugin updates. Specifically, the plugins Shapedsmart-post-show-pro (before version 4.0.2), Real Testimonials Pro (before version 3.2.5), and Product Slider for WooCommerce Pro (before version 3.5.3) were affected. The malicious code enables unauthenticated attackers to deploy a second-stage payload, potentially leading to full site compromise.

Defensive priority

High priority should be given to updating the affected plugins to their latest versions. Additionally, defenders should review their site's logs for signs of exploitation and implement compensating controls such as web application firewalls.

Recommended defensive actions

• Update Shapedsmart-post-show-pro to version 4.0.2 or later.
• Update Real Testimonials Pro to version 3.2.5 or later.
• Update Product Slider for WooCommerce Pro to version 3.5.3 or later.
• Monitor site logs for suspicious activity.
• Implement a web application firewall.

Evidence notes

The CVE record and NVD detail provide official information on the vulnerability. A source item from the NVD and a reference from WPScan offer additional context and details on the affected plugins and the nature of the attack.

Official resources