ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack

Multiple WordPress plugins developed by ShapedPlugin were compromised through a supply chain attack, with threat actors injecting backdoor code into Pro plugin releases distributed via official licensed update channels. The security firm Wordfence identified the compromise, stating that attackers tampered with the vendor's build and distribution pipeline. This incident allowed malicious code to be pushed to users who updated their plugins through the legitimate WordPress update mechanism. The specific plugins affected include those with "Pro" in their name, indicating a targeted campaign against premium offerings from ShapedPlugin. The exact number of affected users and the full extent of the malicious activity are still under investigation, but the nature of the attack suggests a significant risk to websites relying on these compromised plugins. Users are advised to immediately check their installed ShapedPlugin Pro plugins for any signs of compromise and to consider temporarily disabling them until further information is available from ShapedPlugin or security researchers.